Sample File: MD5 hash: f05fe39e81df5368c442a13202b4ab53 SHA1 hash: 0087d1d0cdde6268a425ef6d546a77e3a120c0f5 SHA256 hash: b2946daf21b5a0d9c70f32230f6e511ff4aeb939fc8f9a5d372a67f932483c4d SSDEEP hash: 6144:cfm2kjkjxuWiyKMUsTn8XBlKqqUY1BaE8D7h6JDAm30QWIOtfXuu4MCUlmoykTHt:cfm2hVuW7VgmUYSDevEbIOE7gFywyq+K Filename(s): payload_1.doc Filetype: Word Document Mutex IOCs: pptfigba Global\{A2BFDB87-353A-4FF0-949C-48D58EAD9552} Global\{4D1D9C61-769F-4781-A3DF-A2E3ACFF6A77} Global\{A7769AE9-77E1-4B28-9E3D-FAC58A61B7B9} Registry Key IOCs: HKEY_CLASSES_ROOT\Licenses HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors HKEY_CLASSES_ROOT\TypeLib HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6} HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0 HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\0 HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{6BF52A50-394A-11D3-B153-00C04F79FAA6}\1.0\0\win32 HKEY_CLASSES_ROOT\TypeLib\{0AF7F3BE-8EA9-4816-889E-3ED22871FE05} HKEY_CLASSES_ROOT\TypeLib\{0AF7F3BE-8EA9-4816-889E-3ED22871FE05}\1.0 HKEY_CLASSES_ROOT\TypeLib\{0AF7F3BE-8EA9-4816-889E-3ED22871FE05}\1.0\0 HKEY_CLASSES_ROOT\TypeLib\{0AF7F3BE-8EA9-4816-889E-3ED22871FE05}\1.0\0\win64 HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32\ThreadingModel HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69} HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Control HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Insertable HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F} HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Control HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Insertable HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4} HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Control HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Insertable HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080} HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Control HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Insertable HKEY_CLASSES_ROOT\Clsid\{646BE917-EFED-46C6-AFC9-CA1FBD3C5100} HKEY_CLASSES_ROOT\Clsid\{646BE917-EFED-46C6-AFC9-CA1FBD3C5100}\Control HKEY_CLASSES_ROOT\Clsid\{646BE917-EFED-46C6-AFC9-CA1FBD3C5100}\Insertable HKEY_CLASSES_ROOT\Clsid\{6BF52A52-394A-11D3-B153-00C04F79FAA6} HKEY_CLASSES_ROOT\Clsid\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\Control HKEY_CLASSES_ROOT\Clsid\{87291B51-0C8E-11D3-BB2A-00A0C93CA73A} HKEY_CLASSES_ROOT\Clsid\{FC1880CF-83B9-43A7-A066-C44CE8C82583} HKEY_CLASSES_ROOT\Clsid\{F2BF2C90-405F-11D3-BB39-00A0C93CA73A} HKEY_CLASSES_ROOT\Clsid\{61CECF11-FC3A-11D2-A1CD-005004602752} HKEY_CLASSES_ROOT\Clsid\{47DEA830-D619-4154-B8D8-6B74845D6A2D} HKEY_CLASSES_ROOT\Clsid\{93EB32F5-87B1-45AD-ACC6-0F2483DB83BB} HKEY_CLASSES_ROOT\Clsid\{AE7BFAFE-DCC8-4A73-92C8-CC300CA88859} HKEY_CLASSES_ROOT\Clsid\{D9DE732A-AEE9-4503-9D11-5605589977A8} HKEY_CLASSES_ROOT\Clsid\{6342FCED-25EA-4033-BDDB-D049A14382D3} HKEY_CLASSES_ROOT\Clsid\{A8A55FAC-82EA-4BD7-BD7B-11586A4D99E4} HKEY_CLASSES_ROOT\Clsid\{BAB3768B-8883-4AEC-9F9B-E14C947913EF} HKEY_CLASSES_ROOT\Clsid\{6B28F900-8D64-4B80-9963-CC52DDD1FBB4} HKEY_CLASSES_ROOT\Clsid\{AE3B6831-25A9-11D3-BD41-00C04F6EA5AE} HKEY_CLASSES_ROOT\Clsid\{09AEFF11-69EF-11D3-BD4D-00C04F6EA5AE} HKEY_CLASSES_ROOT\Clsid\{95F45AA3-ED0A-11D2-BA67-0000F80855E6} HKEY_CLASSES_ROOT\Clsid\{DDDA102E-0E17-11D3-A2E2-00C04F79F88E} HKEY_CLASSES_ROOT\Clsid\{5F9CFD93-8CAD-11D3-9A7E-00C04F8EFB70} HKEY_CLASSES_ROOT\Clsid\{09428D37-E0B9-11D2-B147-00C04F79FAA6} HKEY_CLASSES_ROOT\Clsid\{D50FED35-0A08-4B17-B3E0-A8DD0EDE375D} HKEY_CLASSES_ROOT\Clsid\{D50FED35-0A08-4B17-B3E0-A8DD0EDE375D}\Control HKEY_CLASSES_ROOT\Clsid\{D50FED35-0A08-4B17-B3E0-A8DD0EDE375D}\Insertable HKEY_CLASSES_ROOT\Clsid\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3} HKEY_CLASSES_ROOT\Clsid\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\Control HKEY_CLASSES_ROOT\Clsid\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\Insertable HKEY_CLASSES_ROOT\Clsid\{8627E73B-B5AA-4643-A3B0-570EDA17E3E7} HKEY_CLASSES_ROOT\Clsid\{8627E73B-B5AA-4643-A3B0-570EDA17E3E7}\Control HKEY_CLASSES_ROOT\Clsid\{ECF44975-786E-462F-B02A-CBCCB1A2C4A2} HKEY_CLASSES_ROOT\Clsid\{ECF44975-786E-462F-B02A-CBCCB1A2C4A2}\Control HKEY_CLASSES_ROOT\Clsid\{ECF44975-786E-462F-B02A-CBCCB1A2C4A2}\Insertable HKEY_CLASSES_ROOT\Clsid\{25B29D27-197E-4E3C-B420-964C8D240142} HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\MdiMaximized HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\GridWidth HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\GridHeight HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ShowGrid HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AlignToGrid HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\SaveBeforeRun HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ShowToolTips HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CollapseWindows HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\UpgradeVBX HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ReadOnlyMode HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackgroundProjectLoad HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FolderView HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Tool HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\PropertiesWindow HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\UI HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Dock HKEY_CURRENT_USER\Software\Microsoft\VBA\VBE\6.0\Addins64 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Designers HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ToolboxControls HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CtlsShowSelected HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\DsnShowSelected HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\MainWindow HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Timeout HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\DisplayLogo HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo HKEY_CLASSES_ROOT\.vbs HKEY_CLASSES_ROOT\VBSFile\ScriptEngine HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\AmsiEnable HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN\ServiceStackVersion HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Display HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Environment\PSMODULEPATH HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{816ebd75-f7ab-59c0-e2f0-bddfeed66ac2} HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType HKEY_CURRENT_USER HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport HKEY_PERFORMANCE_DATA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1051304884-625712362-2192934891-1000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1051304884-625712362-2192934891-1000\ProfileImagePath HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity Domain IOCs: rijschoolfastandserious.nl IP IOCs: 185.104.29.52 127.0.0.1 URL IOCs: http://rijschoolfastandserious.nl/rprmloaw/111111.png File IOCs: Filenames: C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TLS C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack \??\C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PnpDevice C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management C:\WINDOWS\system32 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.dll C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 C:\BlotRots\Loterios.exe C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppvClient C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll C:\WINDOWS C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DeliveryOptimization C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\VpnClient C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Kds C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DnsClient\DnsClient.psd1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1 C:\Users\FD1HVy\AppData\Roaming\Microsoft\Qieeyrekuc\xafpqko.exe C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetNat C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Kds\Kds.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility C:\ProgramData\UIYUIYUIYuiyuiYUIYYuyty.vbs C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.xaml C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetQos C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflowUtility C:\Program Files\WindowsPowerShell\Modules C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml C:\BlotRots\djsfgytdftftyYFGfghffghYYTTT.cmd C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 C:\ProgramData\Oracle\Java\javapath C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\UEV C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\iSCSI C:\Users\FD1HVy\AppData\Local\Temp\__PSScriptPolicyTest_gbvqg2du.z4l.ps1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\EventTracingManagement C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 C:\BlotRots\Loterios.exe.cfg C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml C:\Program Files\WindowsPowerShell\Modules\Modules.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ISE C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Dism C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1 C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 \??\C:\ProgramData\UIYUIYUIYuiyuiYUIYYuyty.vbs document.xml vbaProject.bin C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 C:\WINDOWS\SysWOW64\explorer.exe C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1 CONOUT$ C:\WINDOWS\System32\calc.exe C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\StartLayout C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Appx\Appx.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SecureBoot C:\Program Files\WindowsPowerShell\Modules\PowerShellGet C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1 C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Appx C:\Users\FD1HVy\Documents\WindowsPowerShell\profile.ps1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.ni.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BranchCache C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PrintManagement C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml C:\Users\FD1HVy\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 C:\Users\FD1HVy\AppData\Local\Temp\ C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.psm1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll C:\Program Files\WindowsPowerShell\Modules\PackageManagement C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\UEV\UEV.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MMAgent C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility C:\WINDOWS\System32\Wbem C:\Program Files\WindowsPowerShell\Modules\Modules.dll C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.cdxml C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 C:\Users\FD1HVy\AppData\Local\Temp\Word8.0 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppLocker C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.xaml C:\Users\FD1HVy\AppData\Roaming\Microsoft\Qieeyrekuc\xafpqko.dat C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Defender C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetConnection C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DnsClient C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbWitness C:\WINDOWS\System32\WScript.exe C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Provisioning C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.ni.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1 C:\BlotRots C:\Users\FD1HVy\Desktop\payload_1.doc C:\Program Files\WindowsPowerShell\Modules\Modules.xaml C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.ni.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files\WindowsPowerShell\Modules\Pester C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll C:\Users\FD1HVy\AppData\Roaming\Microsoft\Qieeyrekuc\chcwbgvooi.jzc C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml C:\WINDOWS\System32\WindowsPowerShell\v1.0\ C:\Program Files\WindowsPowerShell\Modules\Modules.psm1 C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.cdxml C:\Users\FD1HVy\AppData\Local\Temp\VBE C:\Windows\SysWOW64\cmd.exe endnotes.xml C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.psd1 settings.xml C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\International C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSecurity C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 C:\Program Files\WindowsPowerShell\Modules\PSReadline C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\International\International.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml C:\Program Files\WindowsPowerShell\Modules\Modules.cdxml C:\Users\FD1HVy\Documents\WindowsPowerShell\Modules C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MsDtc C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetAdapter C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Storage C:\Users\FD1HVy C:\ C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.psm1 C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.ni.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 C:\Users\FD1HVy\AppData\Roaming\Microsoft\Qieeyrekuc C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Modules.psd1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadLine.psm1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.ni.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psm1 ping.exe C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PKI C:\WINDOWS\system32\wldp.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\TLS\TLS.psd1 \??\C:\BlotRots\djsfgytdftftyYFGfghffghYYTTT.cmd C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management "C:\BlotRots\djsfgytdftftyYFGfghffghYYTTT.cmd" C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadLine.psm1 C:\WINDOWS\system32\timeout.exe C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\Microsoft.PowerShell.Operation.Validation.ni.dll C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 C:\Users\FD1HVy\AppData\Local\Temp\~xafpqko.tmp C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MSMQ C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetLbfo C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1 C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation C:\Users\FD1HVy\AppData\Local\Microsoft\Windows\PowerShell C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psd1 C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP Normal C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitLocker footnotes.xml C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Wdac C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe.config C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\ConfigCI C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 C:\ProgramData C:\Program Files\WindowsPowerShell\Modules\Modules.ni.dll C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1 image1.png MD5 hashes: ad7b09adba59218ce485148faf21dc82 cf8c43d0b64478708ccfa80aa8e87bc8 ee5c425bd4738521f177f2a418bb1745 c4ca4238a0b923820dcc509a6f75849b 159ab34f06af279ef3f57c2ceadb9768 2c863d3b50ac48b86a109f24d84179c6 b6608e351be97da6ac46b15cdb208f13 5da516c9bd0e29ec357c52fcf4a5f5c2 2282ed85cfc02646ca526f0a14924316 ac75e026443cd05ae30409eec12d9e10 f07e30c22ead3c49606617eb04fbf9c7 f05fe39e81df5368c442a13202b4ab53 2d63e5c7ff61a560f0cc7dccd0661bf6 2cf2ace32a9a9c6aebed3975a41b1a27 a867b95c7f735b6ac1f235e4dec72485 58b7e077fdcaae67670713374fe6e869 c658fbd34b9297e83d153ef2acc802bf SHA1 hashes: f64fe619cd5de1979287e6f6bf2bc354fbc0b666 dcabf4bba851e92d45e5a60390bb4eb2b1ef5fd4 2cf12d3b8f62528bc1d02d2fe3b0e5a877676576 98030b0d51b8fb18acbc17eee76ea43c4ad16251 dbfa3fa1dd387290394fdfa19e163a2ef774567a 99c1ec3815701a65d2f496296e2bb542e102709c 854a1a8f5178f6e696bb245007b9903906b4af14 995efc69bd84b193786de1a993ad7052f14e9542 0a3851f903f7d928688e5ebeee13f6d5d921b4de a3dc71d64153da89fc83998fc33c16574dbdc194 d8a1df54794ee12b36051e1a6ae087c0dece6179 539dbd8cda2c1e6ada7a02e146c33b5aae7b1099 aad4fb86e5cc03ded0aeba3e334569e95706b0a7 356a192b7913b04c54574d18c28d46e6395428ab 0087d1d0cdde6268a425ef6d546a77e3a120c0f5 5ead4ecd9b7329c8a80d668be2e1219dd5f4f185 1627bbc3a3fe41794f59f31699e09c5704c7b3c8 SHA256 hashes: a09c4e6ff2ee16e7b6cd1865e33147711f0f894ce99000937444da61dd36d50e 9df5fc5f7b4db8881976cc92e377e5d51bcfb74c76b92a965c9e343d47b9cf50 9294de934df9fa2b8aa261e9abf071b5ef2c023e368125a6f23b4a8fdfd598be b2946daf21b5a0d9c70f32230f6e511ff4aeb939fc8f9a5d372a67f932483c4d 94a12075382cb44133ba8dd51973b583d4c2514f7d3d7414ae4d9a92b5354584 214fd312196dd5769f94ed778c50df1eaf49a5c8287c67edcf2fbd05dff02cb2 4639cb4ccdef149ef325770ccf4fff658b7cb528d71661113dbfe9e1c683dbf9 37790b6946072ccacb7cf9be694b962deee2c53818449eba20f450389d0cfa4a b0d2bf6da08350e1bd794d94f09567798e77491658b4a12f1d4baf9e9f228047 1675997a7f2dbab63b955889ece8d81e0331e25a0b551f8fd563e04b1bc3cb9e c0f9cc1663b74a106c5c3356988ffa42d64f9c941ef9cb46aabf16ce8a213baf 3c821e90238f6699f44ae71ec451d8ddd6663f60747dbb01dc376e2a118f4086 8558d5db67061bd559d38e9532fce71240db0f9fe962e6521c2231917b680c1c fa285309506d70241db1db739c39e428c3eb88dc1229a80bcf15c36f5f71e6c2 eed8ec8e5b9e3133ceff1f87e6b4174e99a8029c5d4ab1c6a3953d1a8807cd32 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b 2689c777d804cc65a09bee259cbc39256390c3ad6e9f1794d794e3b1d361d662 SSDEEP hashes: 1536:TC70ITO1lsleRKby43mmImmmmm/V1GRpCcPh45V7yJVx4wFc4PMo5Y1ns3wt:T5yO1lQ33mmImmmmmd14CTt1ns3wt 96:YSGSuSQSoSGScCSuSQSoSGScCSuSQSoSGScZNXt2fy8OtSuSQSoSGScCSuSQSoSc:SYfmm 384:qP3sr4k8HXLiZi20WSIYWfiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiiir9:fYig29i 3:wLqwG20JY2VlvE88MhA55lf0l9PZltsrpUHyWhxxLegOUR95HFp8Y79tvLn:wLqwhIY2d8MhA1ynQrmyRgnEY7HL 24:v1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1pB1p1:t 1536:UYRGs41wV1NPAYkD2JDVhGI2JDVPPAYkD2JDVCAYkD2JDVhGaa:CD 3:GnvLPCJCQicY2VlvE88MhA55lf0l9PZn:Gv7KCQicY2d8MhA1ynn 3:ywhtsGz4/26kbhKjq8+LP35pPsn:yUtsG8Ebh98+L356 48:cpv+Bc6mNYYNEbz+qliS+Q+H+Uv+L+pNRQmTRQl:Usc6mmY+bzZliSfiZoBhl 768:jUpAa5BHMrxbfrRJPFh48Fq3ThRW/Y+e+jH0qlwKH/mYohV3IpNBQkj2As454Z6D:jUpAa5RMrxbflJdh4thRW/3e+jH0qWKh 96:+c6mmY+bliStHhm93QxN9xbufLlxzuZRRaKTrIYtisqt99Q4SQga9S:+xmmY+gsHQ9ortisqt99Q4SQga9S 6144:VMhkpTK06/aA6udzpNi1yna2PiQ0erLeROSEGo89QNn/o8S2M1KpWwR+SHvRu4Tr:VMEK06CmNi1L54Z89QNNpJgC5j 1536:37WNeMBHx1GGd+CKtfSo4+oYFNaeI2bsuhNe4VTdRnTT8w4TWnqp:eeA3GGRwfkYFdhNe4VTdRnTT8w4TWnq 48:c4v+Bc6mNYYNEbz+qliS+Q+H+Uv+L+p4zRQ1ITRQh:9sc6mmY+bzZliSfiZoRK1bh 6144:cfm2kjkjxuWiyKMUsTn8XBlKqqUY1BaE8D7h6JDAm30QWIOtfXuu4MCUlmoykTHt:cfm2hVuW7VgmUYSDevEbIOE7gFywyq+K 3:U:U 6144:axuWiyKMUsTn8XBlKqqUY1BaE8D7h6JDAm30QWIOtfXuu4MCUlmoykTHSqSrg:muW7VgmUYSDevEbIOE7gFywyqv